Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:56

General

  • Target

    9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe

  • Size

    2.6MB

  • MD5

    715576c05f35bc351aebaacfbc5f6b10

  • SHA1

    5fae5b27d815c649e98403034a213e25a5e020f8

  • SHA256

    9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0a

  • SHA512

    4edfdfb9e0771d120f547a9ce5ad74b3d90520f74179f49764e6ef8e44c4b1f38773476fa36b5ad880b56cb3eab2a63b216f5c9d9a408ecc9c2315a3c5840625

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpJb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
    "C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1620
    • C:\IntelprocPJ\aoptiloc.exe
      C:\IntelprocPJ\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1664

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocPJ\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          801beee79e3724b97b2abb5d6dea1a7c

          SHA1

          c6e5946b6d43578793637a6dc672bb3ab7b75663

          SHA256

          cc0c637ee6fb39b58c55d6b5f902404de554716da89692abae4753740f03c3be

          SHA512

          68e94ed3902d4b67e0155aa63c1ae98fa43f5beaeaaee15c264df11920655431bee63fbbb944d508066ddf4adea841b56ffe48b126d7cb9db2e003951e0a8266

        • C:\LabZVO\optidevec.exe

          Filesize

          2.6MB

          MD5

          01b1255701d529b787dbbd24fbefa25d

          SHA1

          4aa15aced1bf4e9b5a75f77c4680a6b8b7f53d0a

          SHA256

          e29118e858b820a30ffd55d3419c6d175b04d87ccf38cc0f74d155331a4fdca6

          SHA512

          3a965796d8d0419f0dae1dd47af96d76b0c47a80b7c6a6490701f06bac63abbf2b6ec7cd17cb19f30e163eb513bec0103202f72b45e5ba8e7ea3d09628ce8c0f

        • C:\LabZVO\optidevec.exe

          Filesize

          12KB

          MD5

          63a0ef76826092fea4e01baf01c034cd

          SHA1

          7928773c93e5415d90fd843aab4e88e2aac63b3e

          SHA256

          352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a

          SHA512

          b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          178B

          MD5

          562e6815f8f52c39e8a05c4651bd7117

          SHA1

          d0c35e9cf5aaf60b539fcb4f6430f12e13bd52db

          SHA256

          ef4d728e571cc96f7e58a2ae6dcc918d7d79d2a40fbdd7e2d57a283a640ce075

          SHA512

          5a22b9fa0754e83cbac748a7e13085b8ead11131ae17c890b50c973326409eca9998cdd5fc31063cbf34a45858a453764da2c93a7311a1951cf6a74b0e6c6366

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          210B

          MD5

          60f946a8ff82c9507ddba9db39450ac6

          SHA1

          d87a24b58b504ebfe48bcac8232bfa527df4ed67

          SHA256

          f9f61ee0f97f271d6969213531810b42e2d786d04fc027c987c020367033e46a

          SHA512

          71ffe46aae665ca596433d7fdf32627eedfaf191041436c6db8c21be9502500c29d67f78262cf0b2f0f21a15dafd6c953eadf632457d348a1c2ddf57e2cf7a9d

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

          Filesize

          2.6MB

          MD5

          7d3a2be3e79342359eee08f91e3ff343

          SHA1

          1f9cc926d59351d1e9bcb618e2e08860167abc76

          SHA256

          f37cc54d6e4d8994cdef37954626c7d09712b98c6ca2bca73384a27fcccb9c89

          SHA512

          4c66240460bf9f0d93a00dc68ce83bb012ffd65ce9102f7694d38dcb7f5a62c0f3cf2e8976cdd7200106e9334c22c546526a3fa4bdce5b9c76da7b20af4bb788