Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:14

General

  • Target

    aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe

  • Size

    2.6MB

  • MD5

    1a9eb84e3c93211f62724b53b0d7c603

  • SHA1

    37dee78b4ca56a1671b13927063cc2131e6dc565

  • SHA256

    aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9

  • SHA512

    26512f8bcb571306b20bebab9cc7ea682c1a76b54908ad2511cd5ab0ff64a5c3807b0727ccf74fce877b400a19bb5cdfb3b406626e1c0e5cd48921b2a7fb147a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSP:sxX7QnxrloE5dpUpbbM

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
    "C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3632
    • C:\UserDotL3\xoptisys.exe
      C:\UserDotL3\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2376

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDotL3\xoptisys.exe

          Filesize

          174KB

          MD5

          0f096bde926842f74e4216a606ed54a3

          SHA1

          454c2318195e7b5b78897b16806aa5f230bb185e

          SHA256

          afe422d3bb46cd851b457adf36c246b8e22dd4c60ab13cca58515e163a9a0e17

          SHA512

          0ad3fa54a5af275c255125d9e5731328e039f0b7d42dcd7749791e0a8e124c71ebd3b26bb03ed2906ac30de6dcb0b17dbd628e9a946ea534078a46cb2655ac6e

        • C:\UserDotL3\xoptisys.exe

          Filesize

          2.6MB

          MD5

          cdea3c5d45bce16674bf4612a65b93f4

          SHA1

          8308b5a774838a9236da1326b70b14a5f8c91e4c

          SHA256

          b9cf282994ce2487d62dd8704dd0e62eb4f3c73bda08e5f8dfddd3efd8003459

          SHA512

          34d20b73b5122e491743cac479a1c919609335440d54da7bfd5ae50aeb9c451cc3b561c8693147df989b6e0090de18295b575deab1e07cdb7b6d58c9ac804098

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          83a03821b1431c679a0d1fb12e7cb832

          SHA1

          b3226fc224cd3de7274b7539bd87adab3f5d8e76

          SHA256

          bd86b3e1eccaf4e8fb6aece2e62074047d9eef3cc5797d599010306ab166c9da

          SHA512

          f184f2837723118fae860db654c2d513582d76ca06119123b28774cf03dcb3141dd8f4dd79fea3c86b944015c85c84fab41968d85182ebcb8382fa779fe4ca18

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          b1b6d37877b97fabd382d4793edf0ee2

          SHA1

          bfc4d89f43864bf4b898106e57979971abd00f05

          SHA256

          a06d52963bb534940aec8c4751eb7021dc143dfc1f2a348b14d58644224601a7

          SHA512

          70415f17461a5c65488aefc5c0a1e9089c05695309dd1c62b77bc9fe3099680886d9817d78b9bd3346d81655319321bc541d7fe916e4110bd8c820c6de5bad51

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          fe8cb7b75de0a32186b5a430e7017303

          SHA1

          1bb3c85e73d82698f69b28be0437377db1a819c1

          SHA256

          52dc3766725fab89ae68d0c80906f297491dbf1f131f6f08537b4fc57ec50d31

          SHA512

          f4f59b8e0cc5c9efdecadfcaa498359d0d44e2cebd50dcae814afce4f18bca68556de04ff819d2577137dafbce710c02e9e972a27e3615de133f2294a8f3b884

        • C:\VidHY\bodaloc.exe

          Filesize

          1.8MB

          MD5

          a11f76255b9ca6234bfd6aa66474643d

          SHA1

          e3cc3fe2e8e1a624e3288e828320a33d91a8d733

          SHA256

          2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6

          SHA512

          5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56

        • C:\VidHY\bodaloc.exe

          Filesize

          2.6MB

          MD5

          2b4e66069f32fc3110e81b0b727864fc

          SHA1

          5c628552b1f7f727c9704f4143c0699ef2b7e865

          SHA256

          b1bcfaca5d2691c39b6271cc9b9bb3ee9f4c9db629d94ebf57d99087367068bb

          SHA512

          994232945960d3a584de18240abec2fcdb9125a3a9c6726f1d7327cadfd27c7bceefa0d5b98f2b5614fe6f01bf3496e62637e1e05e04009625bb5e1b796287b7