Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
Resource
win10v2004-20241007-en
General
-
Target
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
-
Size
2.6MB
-
MD5
eb0b3ea8f23af1bafa96769bd9a21a60
-
SHA1
9e671d8117b4f5c5ffad9536b4ca601dff1f3b70
-
SHA256
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819
-
SHA512
99eedcf0a8ccc292c62856afc68e6969d5cfb6eccba2670a46fc4c818db51dec75d08d9a7998655d266ed72b4cac49b7a5697270ba6c003a49b8beb3ada94b59
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpAbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe -
Executes dropped EXE 2 IoCs
pid Process 2768 sysadob.exe 2808 aoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotS2\\aoptisys.exe" b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCK\\optidevec.exe" b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe 2768 sysadob.exe 2808 aoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2768 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 30 PID 2888 wrote to memory of 2768 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 30 PID 2888 wrote to memory of 2768 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 30 PID 2888 wrote to memory of 2768 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 30 PID 2888 wrote to memory of 2808 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 31 PID 2888 wrote to memory of 2808 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 31 PID 2888 wrote to memory of 2808 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 31 PID 2888 wrote to memory of 2808 2888 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe"C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2768
-
-
C:\UserDotS2\aoptisys.exeC:\UserDotS2\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD558e0706c5493e7a7c1be38c71c6b4b0e
SHA1f970475028898a2e1fd60baa95c6b29c220f084e
SHA2565e7868f0e25369b69bb46ba4911b5b66693623f20c91abbebab8be989cada78b
SHA5129851229895548255979d856af061c101d46a3089d2003b0b108fe81976a93f4f5d17d338ac8d44473789c44dfd06145e2d2be9bfd06b68b01efa77378e5b4506
-
Filesize
2.6MB
MD5277ab40f6a0a57b5778d029c62245a16
SHA1f2bf1f7bc7ea5f40e75e994d6ff4de74ee66bc64
SHA256c04fd4911cf4b12ede5aafc68fa5b1a21ec157efa1d0fe76f4f96b35d6e1f839
SHA512821ff967347e0f72577acb35962dba9276812d9d88ba1a94ca9a44b5b885117ad9dfc87345497ec11406834d447728c7a33d87f904d381280eb9b767d76f11c8
-
Filesize
173B
MD599f0e38a9ba663f08c046af73ec1d323
SHA13fbda91016ba560724817d5fb11f31278da0b8cf
SHA25668484f194a6d826d456618d092979868ea8d367236db14a7850c3b0940ee2155
SHA512f480e48bb39bd9dc737a5add4b9c03a317876f916501d5b33ef00a57f2d7408a035edd44cfab6dd6621c2df7161b38cff5b7e38a4b374182c7cce0bf979799b0
-
Filesize
205B
MD5f0728a56b58f64740d9d5a6e5f28c895
SHA1a484874507f906831a298f8e8413e90844c86876
SHA256fa521746458605e64e6acca7a55913f81fe38708d2f4b1d92c8d89910e8f36db
SHA5122336e7079dd1eaa70479291c156f1f976ed584082fc0bf3ab11f0b16106662dfd2945d76677d3ee3d9fece8c5615d485a5ba0a39d300b22ab63cab66c2dff1b8
-
Filesize
2.6MB
MD52ac8e43590485a36716e49d4c4651ff6
SHA14095ce96df0d354eb5f1b8b3a05efca51d4638ea
SHA25692ad5fe26c63beaa617a1e0699b73262fc211489fe78c3a6ee741f271dfeb157
SHA512483a8a46be83f88d5583246e2372b21ccf3e05558390a627eb707e733b5cc0138a8da3fba7e72287b8ca02092302a109c5f478527ca9516ca45994771207f363