Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 12:17

General

  • Target

    f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe

  • Size

    2.6MB

  • MD5

    100fe9882157b5de43ffa45b06182070

  • SHA1

    077ec1db08d976ba9efd452ea2c51b0a54a3f4af

  • SHA256

    f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300

  • SHA512

    e51237410ba338f6777177b126bad5a6d909ea2d171e3b08793227cea3172b06bb6d0e0c380b405b3421065e216ebece0890fa463507c0b723f043611182c558

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpAb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
    "C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2044
    • C:\UserDotGQ\aoptisys.exe
      C:\UserDotGQ\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4824

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint46\optixec.exe

          Filesize

          134KB

          MD5

          4e3f0403281081be22e935b61607e38a

          SHA1

          8a353b0fd989513c50be92552a084e2b464cde55

          SHA256

          a2d5837eccdc818c27f27ea24182bd347934612294d034840411da38b39f857c

          SHA512

          56e64b0abe8de2cdaf46de63e20bb49330fe6df252496e15f2157795f67067eb6a5f7f5dfc0d9c65f7ef3db170f0cc5e09b78fdd2522d84b05e57bfb83b52471

        • C:\Mint46\optixec.exe

          Filesize

          2.6MB

          MD5

          9f4b14bf6e2e5746f36526d2b13885d8

          SHA1

          fb90e42b45fcc872cf77ba1c9fb7cc5cdb6a4616

          SHA256

          23146081297e9dbf693d84d4660d2e2561aed7fd0ca130467cea16954d6599d2

          SHA512

          34b96c016b09e34187437adbd3ee80a619fef5cf69cefe32295d1ae344f453a75732070cbd57299e42a9184b7402c78b5eb9d18bdb77cc17edf9904587518b9f

        • C:\UserDotGQ\aoptisys.exe

          Filesize

          2.2MB

          MD5

          dbdec9b8130fa7e62301ff785b30176e

          SHA1

          28b649ae1dac701a57b12e25341c7d6e48d3fc90

          SHA256

          03e33497f1dac91bc7ad0c9862073256d677aca47beca745179311b2c7fa050c

          SHA512

          007596c3ba13d009e40379ebb5fc2bcef75debb6d7360d1342bdf650dc9a8e8e96467b7065b147ef510afb046e5c3f2e839b6bdc0400fe1005304f5a1238092b

        • C:\UserDotGQ\aoptisys.exe

          Filesize

          2.6MB

          MD5

          b10c8d38ee3734ca2d0a484fbfeaf595

          SHA1

          95cddfd8090042448d5ffb15d179d0eed8a69ce4

          SHA256

          087fd3eda96f434466d0348ee657cf89f8d3563c2483ca73c867fa23549399c0

          SHA512

          1f194e2086757502c2bd13bd50054de3f2c803f83c4219afe72b407319d8170d68a17e2b9870c88c114fe9fde977f4d8682edad61757500b88c9aab3726b4a73

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          88a2edb7069f99a3d17dd0fb363b8ad5

          SHA1

          16eb5c516c1eeb8e86d2a7e1348cab64ba0a574b

          SHA256

          8f6047773cd259ff6068458c3d4a4c38cd671dcda656ca687f42e4358400e35e

          SHA512

          025d405260564bc2a8d086051cc1921a57ca8ca203b687e6dcbe774843fc58299efa323d38b200b9f80220fb063a98bae8e6af4da952785c5c1a044378488877

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          25cfb747d46960eb807349597769a625

          SHA1

          e3dbcdb9f461443a5b2c82904d821ce9793ebf4a

          SHA256

          258e3d58d164517e613022ad45ff0c6b14ccba3739f39be1956b5893da7ea209

          SHA512

          842240295b0cd69ec84df5999fe8fe9050c8a83cbb7f774eb0b1187a145d87efd75de0058217a6173b8600f62f67cc3c019450749053ccbf8f41efd98fe6227c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          2093bdb63980e1eabe37449742a3ca79

          SHA1

          16ad7badcceb82a716c082dad3f5a4c96cac6d27

          SHA256

          0e095891b72979d732b2fc815dee3e09d6d591915773d53b342aabc975211fbd

          SHA512

          de32271dba15fe69d7b6a733e59178aa8e57d04300cd74eeedb8c101c4370693ec2c0c019d3055f7875c37eb7cda20660d33731bc1f04493e8dfd2e73a086155