Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
Resource
win10v2004-20241007-en
General
-
Target
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
-
Size
2.6MB
-
MD5
2c5727a954b8acb61e9702f5f8624360
-
SHA1
1d787ffc4d49ae5bf8878f35d966810d8c9cae8c
-
SHA256
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcf
-
SHA512
e9cc85af137e2b0731ab1714b46bce5df7cacb166668780227bf1530003265532591e81dcbd0583c110045b77c5ab1b3ba880efb9df42be977478c2e22a5b3ad
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpFb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe -
Executes dropped EXE 2 IoCs
pid Process 1516 locadob.exe 5052 aoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJK\\aoptisys.exe" 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFC\\optiasys.exe" 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe 1516 locadob.exe 1516 locadob.exe 5052 aoptisys.exe 5052 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1516 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 90 PID 2160 wrote to memory of 1516 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 90 PID 2160 wrote to memory of 1516 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 90 PID 2160 wrote to memory of 5052 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 92 PID 2160 wrote to memory of 5052 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 92 PID 2160 wrote to memory of 5052 2160 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe"C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\FilesJK\aoptisys.exeC:\FilesJK\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5efdd696809cff5f1998fb2da6a5e0367
SHA1cf9bed143449a178e9d198745980d21354d45b71
SHA256df813ec01242b01d6aa58e0ae8de42121f1b627549a45d0e6c0b1cf878905e50
SHA51207534cc1ca182ef1148e5568b279b3ce79241a5be43ec093afca8f2f5ebffa544a63dc385feee87b35a638dced1038a3197b88392fe5306b722e3c2aaefd4498
-
Filesize
2.6MB
MD525ed69447718f994757a3866a9c3edda
SHA14b1175c5544497499c33a417e6c177d6b7a5136a
SHA256338aabf49558a39e40f710d630cab50a4fe83ed2e74321adca0976e1950c2ed1
SHA5121f6db4174e891f74c345d965f1c9e2b1258e0050cb487f669911a27521f65a63e1e5bb94075469dcf7252d5577b5951a2a09bc375f5a51c5f2b2873f4f5c9f4a
-
Filesize
14KB
MD55ffab038d17d47771c031d3b701e0cc5
SHA174d331d26e5210e7e523c750b0080e1641bb61f5
SHA2561b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982
SHA512fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec
-
Filesize
202B
MD501250e943aaeb48ce550403231b5dee5
SHA1e948767914800c15ab14d223910fbf24a46083aa
SHA2564d4d368f9b7c2c7f4687faa15f00369cfec83748bcdfcac56e1b830262b28200
SHA512c785f4c9f9c2c5d490d225170c27413e3a2ba7c30c791c56d4df5f968918ec0b312124729c7ebfe8b2e102d3866155538ea87a96eb77d8be03cb345a14fa2120
-
Filesize
170B
MD52aa7292ec670a6719bec8d3539d0ffad
SHA1db823ff68c64319649bf6a4c43b5bb0ff7875377
SHA2567665a3fb892a124945306b5d3793969a05b338abf791f2abc1f8a8be3d63418b
SHA5121450c49d8a52cc936527970684366c0282f45962de9490becf5cc71dc64d8ac202f568d5b794932d40320df3113b885c6ac9973b1500bd40e7509ca50a221ed1
-
Filesize
2.6MB
MD56bd97453b8f01b407d10ee27b809713a
SHA1cc9b082c70ab6b64c41e268e64f20804ab6be956
SHA25611a4e07939b45d5213d71e97a0941158c6cafd29545a59ed440afb049b25075b
SHA512f3f173f3782abad6b4dd6b7710d2a1733381fa6acb6116945490f7dcaa40827f02625516522f9cb3ffac95fb80f857a98a0ef5145f98363249dad92ad19de424