Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
Resource
win10v2004-20241007-en
General
-
Target
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
-
Size
2.6MB
-
MD5
7c5ec4cf4d8f7aa0c39533542cb75190
-
SHA1
21d9fcd8da84e8890c6aa625cc0aac4bff1ea977
-
SHA256
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89
-
SHA512
0f7924e7011e38a6a86157907a501e9ffec1a75d5cd0477e8e23b169d345a059e23f91d4efbc9227e530905337f3aaeafbed81677885d95f8582da1888b11d2e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe -
Executes dropped EXE 2 IoCs
pid Process 5068 locdevbod.exe 1312 aoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTW\\aoptisys.exe" f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidLV\\boddevsys.exe" f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe 5068 locdevbod.exe 5068 locdevbod.exe 1312 aoptisys.exe 1312 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2232 wrote to memory of 5068 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 88 PID 2232 wrote to memory of 5068 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 88 PID 2232 wrote to memory of 5068 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 88 PID 2232 wrote to memory of 1312 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 91 PID 2232 wrote to memory of 1312 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 91 PID 2232 wrote to memory of 1312 2232 f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe"C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
-
C:\AdobeTW\aoptisys.exeC:\AdobeTW\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD544fa6dd20cc9bcbdf0dbc7dff836bc5d
SHA1ef259ffddac644b54e59bc7b5160483517ac9dcd
SHA256ec7fb2a4b594ae866937f41d705bd64a6b3732e64cf10b2e17aa9095113936a3
SHA5120cbefe7899797e6c9137bfee46fe15c82e69e3c0080f73d4dfa507a05c235eba06343aa14c21d407aa29a23f2e518f78971900247a4ab4550185d474920136c2
-
Filesize
204B
MD511b78c4930d594aab0063749bc331487
SHA18167724170ae7279bac9c6ee24fc0d8956e1e45a
SHA2564c763b549df43bc07ae8113975de24344a22bd00f84abd75d047c5400f368a82
SHA512fda701284014962af69449381f21608bd9da858d3753758991cf5f5d31f513adfdba518ec4c0e0470d6e9860f02b14735dff6d462fa869fbbf3447b780521b80
-
Filesize
172B
MD5aa1b45a1ea25bd6cf6fc5ef3b4287fa3
SHA15d28f74f1f4f2ec0257c39c1511b023a51be8250
SHA25641ca38eb8ccecaa5ffc193b8940c28d6c04df1f6f3eb70869af138008da91f62
SHA512fbc1b54a187be5051083f1388f6ff5210e13e662f9eeeb24c93ac26ebff0a3b8c2700e74e3a9e0919370f1ecee0e6aa0959325e57ad6e147e6651249343a663c
-
Filesize
2.6MB
MD56b302f7dc8673ebaf2061a662bde1a1c
SHA13185ef35d7a89aca77d7c265dcd918a61518c09b
SHA2566be21a6106205c051d4ef0f4452438610b16d4d8a7a686c5fac66190c21ac22b
SHA51258f1d4bf896c764f93655e497594483188d56afe6592d53198b7b531fdf0b6d838eb61b97d37056220a9e4152350297f364bb3883988b6303485cd47435f8f45
-
Filesize
2.6MB
MD5181a9b545e504945ea9376e57a6b9275
SHA1a01811041668f50073d65b2d9e0cd68b71c52683
SHA25686b43bbb32d234238d68c88432f3cabcfccfe5c96f6b681a1dc9ecad0f1a27d2
SHA51263c6b1aa8b633c7883b9313292f5f240621e9df0f6a6742c089c7595e571c6556b47c139b321068b10351ce9be83cabb93d5d711a6a569d5051363a08dc5a5ba
-
Filesize
2.6MB
MD5e4e369ac8ea3b3528a61cb14ae4def9e
SHA1ec32ceb4e86bcdf16736867316405238f9b83064
SHA256a298eeb403ee116c3959f5bc17ea60bec7026f78b3fe3692d601ac7dadc41a79
SHA5129f9e92f82b8be15328374310387a26dcf8529e7a2c25fa573fe3d70b85c1b1968684740bc7106d2b2e4f27e00b957ba55d0f5f67236a1eca1bd02a84f57e9b54