Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
Resource
win10v2004-20241007-en
General
-
Target
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
-
Size
2.6MB
-
MD5
715576c05f35bc351aebaacfbc5f6b10
-
SHA1
5fae5b27d815c649e98403034a213e25a5e020f8
-
SHA256
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0a
-
SHA512
4edfdfb9e0771d120f547a9ce5ad74b3d90520f74179f49764e6ef8e44c4b1f38773476fa36b5ad880b56cb3eab2a63b216f5c9d9a408ecc9c2315a3c5840625
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpJb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe -
Executes dropped EXE 2 IoCs
pid Process 1620 locdevopti.exe 1664 aoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPJ\\aoptiloc.exe" 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVO\\optidevec.exe" 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe 1620 locdevopti.exe 1664 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2548 wrote to memory of 1620 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 30 PID 2548 wrote to memory of 1620 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 30 PID 2548 wrote to memory of 1620 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 30 PID 2548 wrote to memory of 1620 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 30 PID 2548 wrote to memory of 1664 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 31 PID 2548 wrote to memory of 1664 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 31 PID 2548 wrote to memory of 1664 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 31 PID 2548 wrote to memory of 1664 2548 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
C:\IntelprocPJ\aoptiloc.exeC:\IntelprocPJ\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5801beee79e3724b97b2abb5d6dea1a7c
SHA1c6e5946b6d43578793637a6dc672bb3ab7b75663
SHA256cc0c637ee6fb39b58c55d6b5f902404de554716da89692abae4753740f03c3be
SHA51268e94ed3902d4b67e0155aa63c1ae98fa43f5beaeaaee15c264df11920655431bee63fbbb944d508066ddf4adea841b56ffe48b126d7cb9db2e003951e0a8266
-
Filesize
2.6MB
MD501b1255701d529b787dbbd24fbefa25d
SHA14aa15aced1bf4e9b5a75f77c4680a6b8b7f53d0a
SHA256e29118e858b820a30ffd55d3419c6d175b04d87ccf38cc0f74d155331a4fdca6
SHA5123a965796d8d0419f0dae1dd47af96d76b0c47a80b7c6a6490701f06bac63abbf2b6ec7cd17cb19f30e163eb513bec0103202f72b45e5ba8e7ea3d09628ce8c0f
-
Filesize
12KB
MD563a0ef76826092fea4e01baf01c034cd
SHA17928773c93e5415d90fd843aab4e88e2aac63b3e
SHA256352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a
SHA512b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c
-
Filesize
178B
MD5562e6815f8f52c39e8a05c4651bd7117
SHA1d0c35e9cf5aaf60b539fcb4f6430f12e13bd52db
SHA256ef4d728e571cc96f7e58a2ae6dcc918d7d79d2a40fbdd7e2d57a283a640ce075
SHA5125a22b9fa0754e83cbac748a7e13085b8ead11131ae17c890b50c973326409eca9998cdd5fc31063cbf34a45858a453764da2c93a7311a1951cf6a74b0e6c6366
-
Filesize
210B
MD560f946a8ff82c9507ddba9db39450ac6
SHA1d87a24b58b504ebfe48bcac8232bfa527df4ed67
SHA256f9f61ee0f97f271d6969213531810b42e2d786d04fc027c987c020367033e46a
SHA51271ffe46aae665ca596433d7fdf32627eedfaf191041436c6db8c21be9502500c29d67f78262cf0b2f0f21a15dafd6c953eadf632457d348a1c2ddf57e2cf7a9d
-
Filesize
2.6MB
MD57d3a2be3e79342359eee08f91e3ff343
SHA11f9cc926d59351d1e9bcb618e2e08860167abc76
SHA256f37cc54d6e4d8994cdef37954626c7d09712b98c6ca2bca73384a27fcccb9c89
SHA5124c66240460bf9f0d93a00dc68ce83bb012ffd65ce9102f7694d38dcb7f5a62c0f3cf2e8976cdd7200106e9334c22c546526a3fa4bdce5b9c76da7b20af4bb788