Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
Resource
win10v2004-20241007-en
General
-
Target
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
-
Size
2.6MB
-
MD5
8b3600d845d35db96432e598e7d45770
-
SHA1
b1cb17f0b17ab255fe2df7fa898c41bd4c9fe4ec
-
SHA256
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81
-
SHA512
7889c5dc8ac7dd1b110975231f5dbee6c549de56ee8cd545afd36f87ae9bf431b1b1d7089881eb0a46cedfec2faf4f3216cc960249327e9efcc40aeac19219d3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe -
Executes dropped EXE 2 IoCs
pid Process 4312 locdevdob.exe 5032 aoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0W\\aoptiloc.exe" b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7V\\bodxec.exe" b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe 4312 locdevdob.exe 4312 locdevdob.exe 5032 aoptiloc.exe 5032 aoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3372 wrote to memory of 4312 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 87 PID 3372 wrote to memory of 4312 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 87 PID 3372 wrote to memory of 4312 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 87 PID 3372 wrote to memory of 5032 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 90 PID 3372 wrote to memory of 5032 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 90 PID 3372 wrote to memory of 5032 3372 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe"C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4312
-
-
C:\Files0W\aoptiloc.exeC:\Files0W\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD598d1ca7bd82b728e2d51fc7691159edf
SHA1e587c122c63f7c2da4e2fce902a3eb348f100cb9
SHA256d4a904bf30aa5aa6c9d6769ef7555ea4a61b14a53aaaa376ab67c4345bc003d0
SHA512f823dcf982b64769214ede8efe9e83fd39c02ee01f184202cf401c96dfbf5af50399ca03411fda1762c2d72fe048848dc09e6241711b44631a3e43992c4be6e7
-
Filesize
2.6MB
MD5a6d9fd51643f775d5f02301c5f90553a
SHA1fda4f2e6c235a4e2f4274efd781e775d226e8865
SHA25608d478aaa815843e0dc1a7b35d37e9790e1e84d183c770ae6907d324f4a74fd4
SHA512992796719f70cf65573ff576e4cc79d64bcdfba9d7fe9bde5e6efe9534fe05d9e1127b8ee6ac781d75eb54c188699f7515f10e96f43e96f633a3a33f7aaf5935
-
Filesize
2.6MB
MD5c679009ad8c59858c8937025094ad9f8
SHA1483459a17ff5de7d34b83feaeec02ef2c860e001
SHA2566d8b0dedb800f829ae95e04580ddea922396de6d440a4625b1da5dd2c04d0321
SHA5122ee5ffe895d96327c9040b12fea176bb9a773e9041affb3ec8ef69822b9419d50866045ec9ac2c6521928ac17b75f2ac0165ec59b63a406d594aa5c75f89feff
-
Filesize
203B
MD5df9606d0686235bb050219cbc80bb5f3
SHA1cf88e5bfa8e8e20c04aa28a2ba06a3d0e5446a36
SHA256f99d900e55669864b5e2f2ef9f009cace875b04e95b2ee5e7c3429da7b89ed75
SHA512c040080da21505ff1184a53dc968b93cb3f78022c5ba9744b5dd266a25473a620dc39e9d625c2a1abbf83f86ac7ebfa9aace0e9ea654d340c99e80a312ec5c36
-
Filesize
171B
MD5903be4fc99a1444568451b93307d29fb
SHA172aad8a3e0e63a2221876a5b057301486f05c385
SHA2564f77de82be5762fde55b0e741acc7175f3b79bb6fb13a5b49cd3d3f245bac639
SHA5125318446cc3b955649808e6b6e7c89296493c447e0b2520943dcdbdbbcf731b66f6332acc24af6b2f8c850e6060697f27ccd916f3bd9c48b91fe3ad34fa341c8f
-
Filesize
2.6MB
MD5a0783ffe2820ed0262a17028ec9af3d8
SHA1c119e61399b07484f5ca1a2a721311dd618a7dae
SHA2564c2747247f35e07d38b17a50a1f529b9ee5fe1087de079f678a2e7f42b2bb291
SHA51273fbfae1bab7f02fa65aa876df84f50c19e720f9b094b88bf52e6ec3fc58276b65b5676176624527f517dbbbea0ea11f5e71b66f6e2a10fa22b1afdcef7ce402