Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
Resource
win10v2004-20241007-en
General
-
Target
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
-
Size
2.6MB
-
MD5
5d793986e055bf27b3397a43b07db2e0
-
SHA1
2bdeb33c4dbb5bd946919ff763caf2a6565cb520
-
SHA256
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12
-
SHA512
ff8cce86d8f6db3885257ca4049570bbf01109a2eea7a8c7c6b27dc98949093c3787b3f0ef2e57050bcc350b1ee26267ba3fe88aa1011c101d0ac7f5b2ba3e74
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpwbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe -
Executes dropped EXE 2 IoCs
pid Process 2980 ecxbod.exe 5076 aoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKO\\aoptiloc.exe" 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMQ\\dobdevloc.exe" 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe 2980 ecxbod.exe 2980 ecxbod.exe 5076 aoptiloc.exe 5076 aoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 216 wrote to memory of 2980 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 87 PID 216 wrote to memory of 2980 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 87 PID 216 wrote to memory of 2980 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 87 PID 216 wrote to memory of 5076 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 90 PID 216 wrote to memory of 5076 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 90 PID 216 wrote to memory of 5076 216 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe"C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2980
-
-
C:\SysDrvKO\aoptiloc.exeC:\SysDrvKO\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54377fcdc62993ce1dffb5d08714b8b0f
SHA18d4c68e5e3cb5dcc564b27328b69f47fbacea9f5
SHA25637667a8f28887f184c7b42b92d04aae5089043ba7fcb0bdcd7ba3b084ca45711
SHA5124f3ae57fcac23c6f9fc2725e42fbdabdb2049abd9f033af3263683ad684fbfb708de6680e7ce376ca3baa5c84675982c0dc429c999eb0aae951eef0a30ab06e6
-
Filesize
202B
MD5b32f01c609a15adaca850ae1807a9332
SHA125e672f157b0622c010173d1a314293f71a2276f
SHA2568fbb15d9aace682c3128e3139c9d8fb61c1793ee5b4bbc04ab2e198acd994fb2
SHA512f50aa2d8cc63cb78227ebcda421a1bea33fb1536edfe49fc921ba4caa1afcea791afe7bab6305e899c24304564f6ee03981d02d2b99cbd5e30c798418e0ffe2f
-
Filesize
170B
MD5974234e2024a5141e0a3f207ed07773d
SHA1fff2f5f5c51cfb2b88746a21c01a314d50cc2367
SHA25681f4b77294a982108683eefbf9ca858f69c9cef34a792fcbd60f241b9dd606c5
SHA512f20575107544cb961195b1420f3c225fdc99ea11cbe1cae44e50164c0145aef38f70c13f7dc1f32d8e961dccc94267d8db12186455c37cf3b55a43b1d78984d7
-
Filesize
2.6MB
MD5a275d69e0bb3d97071782b37a2afffde
SHA11421f6ea00909aeee0183b80e304c0b8d55f8e39
SHA2566177adfa2373810c9687372cfd415cdf53c16f7c7b4e35e4a4c6046c6373826e
SHA5123e3733f77e668e158735b4903358fa67686bb189c7e46a0b1fedcca56b44a76f0323b2f88fad16b228fd206a8a731dce7bbd033347c0829e65998019c6808d63
-
Filesize
2.6MB
MD5a26010c1243d4924f50bc28f4c9836d3
SHA115797bfc341cf85bc809e0eeac04704c0dccfa0a
SHA256dfdd5177a6ec3cf2e7aa404dc73384f38d54d03f3275c96f0b36abff7916cd5d
SHA512ca028327e9089759d03b2df5c359eb59c6b85dee38f05c169312d9404843f73d43beaf4ad46f8ffd368e9a2d477d788e2dafd298aa42b1ea9606b91644649e50
-
Filesize
2.6MB
MD5d5c10ee29bb098c28be488ba504faf27
SHA17d31f467ccb37832e321f8403e2497ab30a1a956
SHA25697fb5838213d13a5864e9ebaa56f363a5d5df39f481d71833a1f9ff39284a985
SHA512814a15ea040b1cdcef37d8c7607a0125333dfa4330a5570b15fad3721008151def9eec7ffa90a7ce2ec2bff66bcbc5f62a0942587b75645741097efd9d4691c5