Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 12:19

General

  • Target

    e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe

  • Size

    2.6MB

  • MD5

    5d1714a9bfb70a428bc441e42d1a9700

  • SHA1

    2befcff7614059fce1be59ef2bf5b678bd30ff11

  • SHA256

    e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0

  • SHA512

    a2065f35ffb787e160b3527e1b1af1eb59dd5527d9c86aa5c716484c67a476b25ac84c41560f6d7a0e134a18ea455cff121997964fbee9a90bd3835638226949

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSq:sxX7QnxrloE5dpUpObV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4452
    • C:\Intelproc2Z\aoptiec.exe
      C:\Intelproc2Z\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:976

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxJE\optidevloc.exe

          Filesize

          80KB

          MD5

          7619384106c3bab7e821ffae7a2f3ab9

          SHA1

          82b6462943e3100fd1ad800cc93f6464f2f8490f

          SHA256

          aa4a7c091a2d71b5189620b2c6e05496a83eb5444ff0bc7bf76606b642ba2d27

          SHA512

          add612e18b4f53f08111f6c89ca39057bea443cdf824d21f17719ac0ee8d802ecbcb0aaffffe912e465cb72a7300e855ed85ce77b4928691830a0e606630e001

        • C:\GalaxJE\optidevloc.exe

          Filesize

          493KB

          MD5

          31f4895eae836e59010d28eeffd0cf81

          SHA1

          6d9ff9510bc9e16b1dd7b0ed5cb61969c7b4392e

          SHA256

          a2a4a2a7e3a06918ab15539efed68ffb0eae64c57e326183dc396fd4c7458ee3

          SHA512

          6eb1e8f4e3c520b752c973044f126b76119f3150df4aaae5c433cac1832b2dc63febf90b67f6c4752a3188d53413c90cded52332f44d6412ec1a3ff34da6d221

        • C:\Intelproc2Z\aoptiec.exe

          Filesize

          948KB

          MD5

          9aa3749c11ef5ec937dfa42eece2095c

          SHA1

          9b1994a1868c38074d6ce93308636a92010cce57

          SHA256

          9b074c3060987b06582871d411d590880c5e4ece1d85e4e1d6f09ecf518f5437

          SHA512

          104c388cb75eae34c2b97cccfb52bc8df9e56564bb416f337f0e10937e8f6ed95887bab228c49afa36d36103c20bc9c6d50fc4ab1e982bd7dda3e3695de22ba2

        • C:\Intelproc2Z\aoptiec.exe

          Filesize

          2.6MB

          MD5

          d9b82342813ad0fa46f6f70e98003171

          SHA1

          c38a784af0304782a69472e721f6bdf29f317d05

          SHA256

          73fa832e8b81b53f87f817177b7277b7a01416595e516b5525c633b12fc50331

          SHA512

          0a77f2d644d2ed3c6295fe4d8e75e2f1f5f4b02baab6c155299fc5250da62bc09c1519169c61da1c9b21f82fadf15b0d188e1e75c3e9cd71eeacbe29fea668b9

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          208B

          MD5

          c28b5f716c8ad869d911f033d89401a6

          SHA1

          8755a032304e551a0651be3bb0bdaa3aaac668d6

          SHA256

          0ef690e404fc0ec2f8ebedb493449fe7995c2d5cc1facf9284a0a6188fb301e6

          SHA512

          82ac0db07a3f12558a1b4bd3166daf0fbd9d227c37758b3af25c00283d2cd4e77c66df1e91d38287d53a8084fb4546fadc3f1e9411aeaf909867710743e27b6f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          176B

          MD5

          fb18e10677757cfec726dcd50fca0b7b

          SHA1

          57db6dbbb8b301cfcbb3dabde00cdbd712c9cfdc

          SHA256

          f40cf2863cf84089b7f24c9f051357b0b2422919681ceabf9c5144852f8f324e

          SHA512

          20cb48379c46c5a0b100879d086aa4848d9be56e77edd5cfb9cee5d47f5ca02760b0ef8e581e838a295ffea4f066efee5c31bbccafe6de1ad5b881cd216440f2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          88e648aef0a644247b041f89c2754374

          SHA1

          6a66a05254da8f26f970f02fa9cc28e801bd6db6

          SHA256

          e5bea9350a45d925fc052ce242ec99b3618ab9ccd94837e14479ad3e5b5150f3

          SHA512

          98e8f11a0587769528e3c7c19b189abf1df791a0129a5370b0d7e02f907f923e7b4a93955386407a94206b01abebfed98cde50a5ba5cf22327c06f6ce06883a8