Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
Resource
win10v2004-20241007-en
General
-
Target
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
-
Size
2.6MB
-
MD5
de5119a5833a00c284562514bc52aef3
-
SHA1
f2e62e9ff4d6d0c40c911b0dc404a33d18e22fc2
-
SHA256
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf
-
SHA512
3a024ad05413ff62a08d19e7d636cbfa29148f714b8122de5dcfcea137f2b036f738fa9748e0f7c9dc258a099b75a698e3bf36dfeb5d46ebd0d91270edd050d6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSf:sxX7QnxrloE5dpUpabe
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe -
Executes dropped EXE 2 IoCs
pid Process 2104 sysadob.exe 1804 aoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocX7\\aoptiloc.exe" 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQ9\\dobaec.exe" 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe 2104 sysadob.exe 2104 sysadob.exe 1804 aoptiloc.exe 1804 aoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4676 wrote to memory of 2104 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 87 PID 4676 wrote to memory of 2104 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 87 PID 4676 wrote to memory of 2104 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 87 PID 4676 wrote to memory of 1804 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 88 PID 4676 wrote to memory of 1804 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 88 PID 4676 wrote to memory of 1804 4676 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe"C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2104
-
-
C:\IntelprocX7\aoptiloc.exeC:\IntelprocX7\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52af0bd5ae01f91857312e205249995d1
SHA115545f051e50ae35e2410435316f63229c22a595
SHA256f719e1c91547caf5183f75e548f5895b71b140e2da525f945163fbb686bfaaa5
SHA512a1c24aab3116419bc6370980f8503f387d0064a25044db6ecb95fde40938d302c016564557e6fe6c527466e0d36393a13bd40e0c97736254dd9f8edc1f3ad081
-
Filesize
4KB
MD5ede40b36034d11420daf9b761d447622
SHA183e69cb72e12fd8ccd507bfa21133e1fca0fd5d7
SHA2566e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4
SHA5120fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120
-
Filesize
2.6MB
MD58db449dcb72c9cb76f3b40a45fa3b7f0
SHA15746e2ddb56a8e87296f9bdd26afa7556d134c18
SHA256feabc132898df8d45ccf390c9cd43660f291aed81f63d168562c4a01f24919db
SHA5127a9e218404df7227dc36d9c805ed5bfaf1ab1fd52af11def0df7e41f7af2f15e64a5a8a51b36edc4ca3fd64a4a8b07d27f83d072743d13ba8afc37a99d0892d4
-
Filesize
204B
MD50b09938aa678b5ee0e8547df86070fc4
SHA16353d418f3f66cbdd151acab931d584369be46c6
SHA2569c6180bacf11c7c3ffcd5888ad67d3299bb3ce897f0072972ac6840651e18eb9
SHA51298ef93fb21f5e99196c9dbcc740f9d041979f511a5de21b4ecdebf762f604c7c20b720d2b9b58c5ff730a75dc2ca67226f7d3c7b5b0b76611f5e68d875158ee5
-
Filesize
172B
MD5f72c6641f65846b3897873642263656f
SHA1f760e7fe1da9c13a96e36f600f22d5b697bdfce7
SHA25617021cb0b1f2f42aa9c4b3c3ba82911e595970d0a812bfb2fa465c145fa754b4
SHA51230941d93aa03fa981366aa29661d9068bc2b0b4fa2a42bb9c5a762e96be67086905ace7224d0dc080ba4fa3b455300db7e482eb707ee76795a8bcba6d0990075
-
Filesize
2.6MB
MD5304cf9add85867d5d8cded1f02b271d0
SHA1c23b6913f42de1af7a58a9f1a1ab80b9cc29de75
SHA256bbb7b7857fd05a515f07dfe814d34d5a6b8a612cda9e5cde22bcc0454b21b7da
SHA5120c2658a1e524111b6183efafc5db3cd79bdc879114a1a30a0076c6e9f885485f80311be764ff7f7168bbd7f6118a6f1261aeaf0fac8b55c987b307189c7f4656