Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 14:37

General

  • Target

    6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe

  • Size

    2.6MB

  • MD5

    2c5727a954b8acb61e9702f5f8624360

  • SHA1

    1d787ffc4d49ae5bf8878f35d966810d8c9cae8c

  • SHA256

    6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcf

  • SHA512

    e9cc85af137e2b0731ab1714b46bce5df7cacb166668780227bf1530003265532591e81dcbd0583c110045b77c5ab1b3ba880efb9df42be977478c2e22a5b3ad

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpFb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
    "C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1516
    • C:\FilesJK\aoptisys.exe
      C:\FilesJK\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5052

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesJK\aoptisys.exe

          Filesize

          2.6MB

          MD5

          efdd696809cff5f1998fb2da6a5e0367

          SHA1

          cf9bed143449a178e9d198745980d21354d45b71

          SHA256

          df813ec01242b01d6aa58e0ae8de42121f1b627549a45d0e6c0b1cf878905e50

          SHA512

          07534cc1ca182ef1148e5568b279b3ce79241a5be43ec093afca8f2f5ebffa544a63dc385feee87b35a638dced1038a3197b88392fe5306b722e3c2aaefd4498

        • C:\MintFC\optiasys.exe

          Filesize

          2.6MB

          MD5

          25ed69447718f994757a3866a9c3edda

          SHA1

          4b1175c5544497499c33a417e6c177d6b7a5136a

          SHA256

          338aabf49558a39e40f710d630cab50a4fe83ed2e74321adca0976e1950c2ed1

          SHA512

          1f6db4174e891f74c345d965f1c9e2b1258e0050cb487f669911a27521f65a63e1e5bb94075469dcf7252d5577b5951a2a09bc375f5a51c5f2b2873f4f5c9f4a

        • C:\MintFC\optiasys.exe

          Filesize

          14KB

          MD5

          5ffab038d17d47771c031d3b701e0cc5

          SHA1

          74d331d26e5210e7e523c750b0080e1641bb61f5

          SHA256

          1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982

          SHA512

          fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          01250e943aaeb48ce550403231b5dee5

          SHA1

          e948767914800c15ab14d223910fbf24a46083aa

          SHA256

          4d4d368f9b7c2c7f4687faa15f00369cfec83748bcdfcac56e1b830262b28200

          SHA512

          c785f4c9f9c2c5d490d225170c27413e3a2ba7c30c791c56d4df5f968918ec0b312124729c7ebfe8b2e102d3866155538ea87a96eb77d8be03cb345a14fa2120

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          2aa7292ec670a6719bec8d3539d0ffad

          SHA1

          db823ff68c64319649bf6a4c43b5bb0ff7875377

          SHA256

          7665a3fb892a124945306b5d3793969a05b338abf791f2abc1f8a8be3d63418b

          SHA512

          1450c49d8a52cc936527970684366c0282f45962de9490becf5cc71dc64d8ac202f568d5b794932d40320df3113b885c6ac9973b1500bd40e7509ca50a221ed1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          6bd97453b8f01b407d10ee27b809713a

          SHA1

          cc9b082c70ab6b64c41e268e64f20804ab6be956

          SHA256

          11a4e07939b45d5213d71e97a0941158c6cafd29545a59ed440afb049b25075b

          SHA512

          f3f173f3782abad6b4dd6b7710d2a1733381fa6acb6116945490f7dcaa40827f02625516522f9cb3ffac95fb80f857a98a0ef5145f98363249dad92ad19de424