Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:20
Static task
static1
Behavioral task
behavioral1
Sample
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
Resource
win10v2004-20241007-en
General
-
Target
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
-
Size
2.6MB
-
MD5
9c8e2668fabfeb142bb974b0d69a0a75
-
SHA1
cfb0173ceb3461fca2da5e7b7f6848b3d0c3be11
-
SHA256
119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30
-
SHA512
929884d5ae9b9124c95e79757cee62a4341bf55f2a9150ec5b99a383a0b47fa1f67d0b29503eb6b57c5ef7efb3a21b48acd1f6df0c04310aa93066b47901e6ee
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bSf:sxX7QnxrloE5dpUptbA
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe -
Executes dropped EXE 2 IoCs
pid Process 3788 locdevopti.exe 4768 adobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWI\\adobsys.exe" 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOQ\\optixloc.exe" 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe 3788 locdevopti.exe 3788 locdevopti.exe 4768 adobsys.exe 4768 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1564 wrote to memory of 3788 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 87 PID 1564 wrote to memory of 3788 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 87 PID 1564 wrote to memory of 3788 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 87 PID 1564 wrote to memory of 4768 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 90 PID 1564 wrote to memory of 4768 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 90 PID 1564 wrote to memory of 4768 1564 119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe"C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3788
-
-
C:\SysDrvWI\adobsys.exeC:\SysDrvWI\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51158f86a0845ee6fe9ce7b682fd51439
SHA1caf9890ab05a6eef87827bb3ab60eaee3b254faa
SHA2563d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1
SHA5123820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503
-
Filesize
21KB
MD5c9ac313e906df1f057c5759320a5feac
SHA16f1bb04a2bcf2f67632823911043d6c3db80de2d
SHA256b4130f462775ca1786a87d2bb2551bf5c3bf0341a658a98b47a682ef5199fd0d
SHA512b782353e01cee193e32a075797ffcb25fa8a4a8ad8d857f1247560d850f7c2cb77598ea4b65d72ddbf45b7566c0efb59196b26ad8e6d13cac41f806deb708bde
-
Filesize
37KB
MD5d63a823168f9fe823402bd544db3a7f6
SHA19b86fd4b090688f3b8b7895822bd94c632f0e8aa
SHA2565b94b32986d895fee06fe460ef15f27348b8205ec548909189edac07a17aaf25
SHA512d08c95656226b1e7f4a7223d1ff91590ada4ce93f2c5e079df57cbf86616eb2c4c639f700f66618178363b89a88561ce648303b8237270ca8e7f8cb54b6cdcc8
-
Filesize
2.6MB
MD5ef6e98d76b01749350af1376877a94a2
SHA19a9d371b9ed3cd96d5a3cb47379de4d91d417823
SHA256882003ec8f5a850819ddbe3fe948cfc2cc067964c9bf32ab4bd6390b3e4af92a
SHA512ab208206dd275e4659b2ae2a86d6f5bc79eab71c72aedb36a4291416f8441af56d4c0f1195e430d42bef391971898c1c5f016ec970f5e355eb882e74a476f560
-
Filesize
205B
MD5929f1a4b37b34dcdafbb732a0e857a44
SHA153d519757f3e6818613d76fc5262e86a1c997734
SHA256680cd41a178fce11fc946e39eca1f647fd7f16441a8f35f83c884727d89f9f70
SHA512c40cc7db176ff01d8311de7c5d77fdd21ed60150c37e2cd1d0314087cff7eeefce375f03d1ef82857e2212dc8d525bb853c1fe701de0365be548db869bfd79b5
-
Filesize
173B
MD5dfbde180a5d6517e769767920a9f3284
SHA18531993eafbc87679f9abd94b3cd5df6cd48d981
SHA2566c22100f33a7be204f617c31154258390693eee89167959e29864e52edde919b
SHA5127359cf2d21524a75cea0b7d049b51a48ad53a3929d84da7fab3879421790e19e74ba3b8d477ca1cabc2ba30ca6f82ece4ec42087b418827eafd2b52e2260b607
-
Filesize
2.6MB
MD5e540afa7cc19bde7178c682401d9f620
SHA12dab0adb05fad7fe460f555a8d16ffc84d270f25
SHA2563b16bb278dfa40a0f8d9fe484ab3234a53338b57ad988364f75bd0929d99b8c5
SHA51240ee8d257fd3113c76021dfa2d5b98559a2acf7ddeaed6bf5dd5f188b25b445fb080727da466d8931d32f6020e0d357b7a903163fe3e9be7380c505f8d1dc0fb