Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:42

General

  • Target

    7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe

  • Size

    2.6MB

  • MD5

    5e766b1c0a77dc453ff6f67737e8bec0

  • SHA1

    4de0702d4d12030108e83a9bc31696fd9508314b

  • SHA256

    7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669e

  • SHA512

    c116bef1e3bb97d73dcaefdb79fd8dbaf800aa7296a11f704aff28760bd278372ea578e47b88071e30b1530abb06d0f09851e72c0416a474a0faed1c68a2e338

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpvb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
    "C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3588
    • C:\FilesLP\aoptiec.exe
      C:\FilesLP\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:660

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesLP\aoptiec.exe

          Filesize

          2.6MB

          MD5

          889d9cc2e0795de5a973596d8debe55b

          SHA1

          0505657360388ab374bb5391692219e6af122135

          SHA256

          aa7111683340d91ee135dcd92bccbe7961975e76da6763de2eacdac09520af37

          SHA512

          1f609f393e2d4403add193a47c119eb9dbd835bb66706ce6100f9bfecd50e74217cb2175e3340487d62c64b5791054540fd65894a93f3ed47154ec7ac612f7dd

        • C:\KaVBFC\optialoc.exe

          Filesize

          119KB

          MD5

          d008e09b09f2375c991323ff142c7801

          SHA1

          0b4ac89a019bd9e83f5309c417cb18cfe5c7a39a

          SHA256

          e126794bd35ebcb33c483c8de7d7b0cc113c7c42d147b29f9e4725ff9b7e6849

          SHA512

          6a892be4295d6a877693e19a5a4dfb3c286ce9cba13ba6bab21cd85abb9b33934a41264566a3ef481c4a9c2e80c139fd0994afa6780509aab6fe555be66a455d

        • C:\KaVBFC\optialoc.exe

          Filesize

          14KB

          MD5

          9262cab29eba6c8ec58cf55dd510774f

          SHA1

          9c109088d1dc40745dede1654950cf3c14a07d0e

          SHA256

          e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945

          SHA512

          2241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          b82fbc0bb660c0ed3400a39120e5ab36

          SHA1

          8505638b8fd345d76a1feca0e5e840a7436c0e74

          SHA256

          54db3406ca61f225f05ba9404f032e7c3b3522cfde4700e222e419e29fdcea35

          SHA512

          3663662f1a61f67648b5587f5bc672883bc7df0a3909b17b8323db9afd470e3d99dcd0d65dc5d75e04b6c8fd1d83b6e756e93316728b623cf32f918d442cf1e6

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          aa3f16674f48107bfb82601a00466419

          SHA1

          74928858aa9f2b4d3774de5de2ae1fd78c2d315a

          SHA256

          dab8a10a8d0e6dc07a4b5ddab897f0225825bb08da1b01b2a43dd3e14730b293

          SHA512

          f876cb95bb53038add7a174b9f455d1aa60b88138bd74d72947c983f01b7b79603d4043826b93f800779df4319ffff6cabbba755c1fe92a17195df4622ded479

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          54ba8af696b4db17e7af57520e727ba1

          SHA1

          e01c304fd9b10163e4bce796a726ba77d9eff5e9

          SHA256

          3ce830128c69c546ab58edacfb2eed984e3fd23ae1066e0637dfe03d5af2e582

          SHA512

          ea0dfbf4c6c229f10e901140d24b96db642eff8ed9aede2ba25fc721f689273cf2201ca5430d5168212e2e6563bbe549d4e13fff716f57a9177021311f2a2eb6