Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 13:20

General

  • Target

    b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe

  • Size

    2.6MB

  • MD5

    eb0b3ea8f23af1bafa96769bd9a21a60

  • SHA1

    9e671d8117b4f5c5ffad9536b4ca601dff1f3b70

  • SHA256

    b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819

  • SHA512

    99eedcf0a8ccc292c62856afc68e6969d5cfb6eccba2670a46fc4c818db51dec75d08d9a7998655d266ed72b4cac49b7a5697270ba6c003a49b8beb3ada94b59

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpAbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
    "C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2768
    • C:\UserDotS2\aoptisys.exe
      C:\UserDotS2\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2808

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZCK\optidevec.exe

          Filesize

          2.6MB

          MD5

          58e0706c5493e7a7c1be38c71c6b4b0e

          SHA1

          f970475028898a2e1fd60baa95c6b29c220f084e

          SHA256

          5e7868f0e25369b69bb46ba4911b5b66693623f20c91abbebab8be989cada78b

          SHA512

          9851229895548255979d856af061c101d46a3089d2003b0b108fe81976a93f4f5d17d338ac8d44473789c44dfd06145e2d2be9bfd06b68b01efa77378e5b4506

        • C:\UserDotS2\aoptisys.exe

          Filesize

          2.6MB

          MD5

          277ab40f6a0a57b5778d029c62245a16

          SHA1

          f2bf1f7bc7ea5f40e75e994d6ff4de74ee66bc64

          SHA256

          c04fd4911cf4b12ede5aafc68fa5b1a21ec157efa1d0fe76f4f96b35d6e1f839

          SHA512

          821ff967347e0f72577acb35962dba9276812d9d88ba1a94ca9a44b5b885117ad9dfc87345497ec11406834d447728c7a33d87f904d381280eb9b767d76f11c8

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          99f0e38a9ba663f08c046af73ec1d323

          SHA1

          3fbda91016ba560724817d5fb11f31278da0b8cf

          SHA256

          68484f194a6d826d456618d092979868ea8d367236db14a7850c3b0940ee2155

          SHA512

          f480e48bb39bd9dc737a5add4b9c03a317876f916501d5b33ef00a57f2d7408a035edd44cfab6dd6621c2df7161b38cff5b7e38a4b374182c7cce0bf979799b0

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          f0728a56b58f64740d9d5a6e5f28c895

          SHA1

          a484874507f906831a298f8e8413e90844c86876

          SHA256

          fa521746458605e64e6acca7a55913f81fe38708d2f4b1d92c8d89910e8f36db

          SHA512

          2336e7079dd1eaa70479291c156f1f976ed584082fc0bf3ab11f0b16106662dfd2945d76677d3ee3d9fece8c5615d485a5ba0a39d300b22ab63cab66c2dff1b8

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          2ac8e43590485a36716e49d4c4651ff6

          SHA1

          4095ce96df0d354eb5f1b8b3a05efca51d4638ea

          SHA256

          92ad5fe26c63beaa617a1e0699b73262fc211489fe78c3a6ee741f271dfeb157

          SHA512

          483a8a46be83f88d5583246e2372b21ccf3e05558390a627eb707e733b5cc0138a8da3fba7e72287b8ca02092302a109c5f478527ca9516ca45994771207f363