Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 12:17
Static task
static1
Behavioral task
behavioral1
Sample
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
Resource
win10v2004-20241007-en
General
-
Target
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
-
Size
2.6MB
-
MD5
100fe9882157b5de43ffa45b06182070
-
SHA1
077ec1db08d976ba9efd452ea2c51b0a54a3f4af
-
SHA256
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300
-
SHA512
e51237410ba338f6777177b126bad5a6d909ea2d171e3b08793227cea3172b06bb6d0e0c380b405b3421065e216ebece0890fa463507c0b723f043611182c558
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpAb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe -
Executes dropped EXE 2 IoCs
pid Process 2044 locadob.exe 4824 aoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGQ\\aoptisys.exe" f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint46\\optixec.exe" f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe 2044 locadob.exe 2044 locadob.exe 4824 aoptisys.exe 4824 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 540 wrote to memory of 2044 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 87 PID 540 wrote to memory of 2044 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 87 PID 540 wrote to memory of 2044 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 87 PID 540 wrote to memory of 4824 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 88 PID 540 wrote to memory of 4824 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 88 PID 540 wrote to memory of 4824 540 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe"C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
-
C:\UserDotGQ\aoptisys.exeC:\UserDotGQ\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD54e3f0403281081be22e935b61607e38a
SHA18a353b0fd989513c50be92552a084e2b464cde55
SHA256a2d5837eccdc818c27f27ea24182bd347934612294d034840411da38b39f857c
SHA51256e64b0abe8de2cdaf46de63e20bb49330fe6df252496e15f2157795f67067eb6a5f7f5dfc0d9c65f7ef3db170f0cc5e09b78fdd2522d84b05e57bfb83b52471
-
Filesize
2.6MB
MD59f4b14bf6e2e5746f36526d2b13885d8
SHA1fb90e42b45fcc872cf77ba1c9fb7cc5cdb6a4616
SHA25623146081297e9dbf693d84d4660d2e2561aed7fd0ca130467cea16954d6599d2
SHA51234b96c016b09e34187437adbd3ee80a619fef5cf69cefe32295d1ae344f453a75732070cbd57299e42a9184b7402c78b5eb9d18bdb77cc17edf9904587518b9f
-
Filesize
2.2MB
MD5dbdec9b8130fa7e62301ff785b30176e
SHA128b649ae1dac701a57b12e25341c7d6e48d3fc90
SHA25603e33497f1dac91bc7ad0c9862073256d677aca47beca745179311b2c7fa050c
SHA512007596c3ba13d009e40379ebb5fc2bcef75debb6d7360d1342bdf650dc9a8e8e96467b7065b147ef510afb046e5c3f2e839b6bdc0400fe1005304f5a1238092b
-
Filesize
2.6MB
MD5b10c8d38ee3734ca2d0a484fbfeaf595
SHA195cddfd8090042448d5ffb15d179d0eed8a69ce4
SHA256087fd3eda96f434466d0348ee657cf89f8d3563c2483ca73c867fa23549399c0
SHA5121f194e2086757502c2bd13bd50054de3f2c803f83c4219afe72b407319d8170d68a17e2b9870c88c114fe9fde977f4d8682edad61757500b88c9aab3726b4a73
-
Filesize
203B
MD588a2edb7069f99a3d17dd0fb363b8ad5
SHA116eb5c516c1eeb8e86d2a7e1348cab64ba0a574b
SHA2568f6047773cd259ff6068458c3d4a4c38cd671dcda656ca687f42e4358400e35e
SHA512025d405260564bc2a8d086051cc1921a57ca8ca203b687e6dcbe774843fc58299efa323d38b200b9f80220fb063a98bae8e6af4da952785c5c1a044378488877
-
Filesize
171B
MD525cfb747d46960eb807349597769a625
SHA1e3dbcdb9f461443a5b2c82904d821ce9793ebf4a
SHA256258e3d58d164517e613022ad45ff0c6b14ccba3739f39be1956b5893da7ea209
SHA512842240295b0cd69ec84df5999fe8fe9050c8a83cbb7f774eb0b1187a145d87efd75de0058217a6173b8600f62f67cc3c019450749053ccbf8f41efd98fe6227c
-
Filesize
2.6MB
MD52093bdb63980e1eabe37449742a3ca79
SHA116ad7badcceb82a716c082dad3f5a4c96cac6d27
SHA2560e095891b72979d732b2fc815dee3e09d6d591915773d53b342aabc975211fbd
SHA512de32271dba15fe69d7b6a733e59178aa8e57d04300cd74eeedb8c101c4370693ec2c0c019d3055f7875c37eb7cda20660d33731bc1f04493e8dfd2e73a086155