Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
Resource
win10v2004-20241007-en
General
-
Target
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
-
Size
2.6MB
-
MD5
5d1714a9bfb70a428bc441e42d1a9700
-
SHA1
2befcff7614059fce1be59ef2bf5b678bd30ff11
-
SHA256
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0
-
SHA512
a2065f35ffb787e160b3527e1b1af1eb59dd5527d9c86aa5c716484c67a476b25ac84c41560f6d7a0e134a18ea455cff121997964fbee9a90bd3835638226949
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSq:sxX7QnxrloE5dpUpObV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe -
Executes dropped EXE 2 IoCs
pid Process 4452 locadob.exe 976 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2Z\\aoptiec.exe" e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJE\\optidevloc.exe" e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe 4452 locadob.exe 4452 locadob.exe 976 aoptiec.exe 976 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1260 wrote to memory of 4452 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 92 PID 1260 wrote to memory of 4452 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 92 PID 1260 wrote to memory of 4452 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 92 PID 1260 wrote to memory of 976 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 94 PID 1260 wrote to memory of 976 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 94 PID 1260 wrote to memory of 976 1260 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe"C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4452
-
-
C:\Intelproc2Z\aoptiec.exeC:\Intelproc2Z\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD57619384106c3bab7e821ffae7a2f3ab9
SHA182b6462943e3100fd1ad800cc93f6464f2f8490f
SHA256aa4a7c091a2d71b5189620b2c6e05496a83eb5444ff0bc7bf76606b642ba2d27
SHA512add612e18b4f53f08111f6c89ca39057bea443cdf824d21f17719ac0ee8d802ecbcb0aaffffe912e465cb72a7300e855ed85ce77b4928691830a0e606630e001
-
Filesize
493KB
MD531f4895eae836e59010d28eeffd0cf81
SHA16d9ff9510bc9e16b1dd7b0ed5cb61969c7b4392e
SHA256a2a4a2a7e3a06918ab15539efed68ffb0eae64c57e326183dc396fd4c7458ee3
SHA5126eb1e8f4e3c520b752c973044f126b76119f3150df4aaae5c433cac1832b2dc63febf90b67f6c4752a3188d53413c90cded52332f44d6412ec1a3ff34da6d221
-
Filesize
948KB
MD59aa3749c11ef5ec937dfa42eece2095c
SHA19b1994a1868c38074d6ce93308636a92010cce57
SHA2569b074c3060987b06582871d411d590880c5e4ece1d85e4e1d6f09ecf518f5437
SHA512104c388cb75eae34c2b97cccfb52bc8df9e56564bb416f337f0e10937e8f6ed95887bab228c49afa36d36103c20bc9c6d50fc4ab1e982bd7dda3e3695de22ba2
-
Filesize
2.6MB
MD5d9b82342813ad0fa46f6f70e98003171
SHA1c38a784af0304782a69472e721f6bdf29f317d05
SHA25673fa832e8b81b53f87f817177b7277b7a01416595e516b5525c633b12fc50331
SHA5120a77f2d644d2ed3c6295fe4d8e75e2f1f5f4b02baab6c155299fc5250da62bc09c1519169c61da1c9b21f82fadf15b0d188e1e75c3e9cd71eeacbe29fea668b9
-
Filesize
208B
MD5c28b5f716c8ad869d911f033d89401a6
SHA18755a032304e551a0651be3bb0bdaa3aaac668d6
SHA2560ef690e404fc0ec2f8ebedb493449fe7995c2d5cc1facf9284a0a6188fb301e6
SHA51282ac0db07a3f12558a1b4bd3166daf0fbd9d227c37758b3af25c00283d2cd4e77c66df1e91d38287d53a8084fb4546fadc3f1e9411aeaf909867710743e27b6f
-
Filesize
176B
MD5fb18e10677757cfec726dcd50fca0b7b
SHA157db6dbbb8b301cfcbb3dabde00cdbd712c9cfdc
SHA256f40cf2863cf84089b7f24c9f051357b0b2422919681ceabf9c5144852f8f324e
SHA51220cb48379c46c5a0b100879d086aa4848d9be56e77edd5cfb9cee5d47f5ca02760b0ef8e581e838a295ffea4f066efee5c31bbccafe6de1ad5b881cd216440f2
-
Filesize
2.6MB
MD588e648aef0a644247b041f89c2754374
SHA16a66a05254da8f26f970f02fa9cc28e801bd6db6
SHA256e5bea9350a45d925fc052ce242ec99b3618ab9ccd94837e14479ad3e5b5150f3
SHA51298e8f11a0587769528e3c7c19b189abf1df791a0129a5370b0d7e02f907f923e7b4a93955386407a94206b01abebfed98cde50a5ba5cf22327c06f6ce06883a8