Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:29

General

  • Target

    1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe

  • Size

    4.1MB

  • MD5

    ddd71148549b197fce05d66ec84290ef

  • SHA1

    3018bf432e92a1bed6ead13c2bda44ee933de2c2

  • SHA256

    1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8

  • SHA512

    82e0812e2cd9868f241d08f0177ecd8f5fe052708cdf2637381772563b874c398854f07e255f50dc5cb518cfe07ea8d499f736240cdc5300fe428d048506626a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8b6LNXJqI20tJ:sxX7QnxrloE5dpUpgbVz8eLFczU

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
    "C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2868
    • C:\SysDrvWM\aoptiloc.exe
      C:\SysDrvWM\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4824

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrvWM\aoptiloc.exe

          Filesize

          4.1MB

          MD5

          b837ba0f90aff5fa648c83912a9998d9

          SHA1

          a2db36d51b24a28b8ecc67ccfcfaabfc60244ece

          SHA256

          bd313dc420f5bebf3624f48bcd1b91baeba5bf41b2eeed0011ec20226a411331

          SHA512

          fa1f7b6e3caec7698366ee9ab57fd08ea192926cd712ebfde8739f84a2d0a3f72db284527e340f07d350977df8c81e47e77362ee2e58b8fad0aa6ea8affec1eb

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          cd094fd4ee254073bb4148725ffb1229

          SHA1

          c91f76dd5c6f1432c552667c85e3fbf0f0667abb

          SHA256

          970c7698d3eede8c2799eea41a186663b8a799107647afb3c31549ead7b2a735

          SHA512

          8740bb174085c872e3d622601490700c32831cb27bd3c261e121e0469bdc0042b6d71e78aac5481a0ec86e3f4315b78d8bb91139e2d295bd377d44f5a032218c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          9626b64b3f90693ab73e843524d293e8

          SHA1

          5c3b51f73de4c72391841e397825553b97757a43

          SHA256

          cf839f5672963a418d9f4be3b847a4bd1604dd9ea972d70bff9baedfb5b1e890

          SHA512

          5cb194905702118e5a831d13a154688383aba2e6abb2e16934b31473dbc733b53a292d9340cd7992def587d12e4e72883be16d8c4e3213840226c9e3df6ebde1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          4.1MB

          MD5

          87bb1ec6f8a29fc371bf13b3d91f0a95

          SHA1

          6e8c3f1456421a72c52efb2bdd0be56618f0824c

          SHA256

          169aa23a61496fbc8a43186c445909bdc64d726ad45ec25f54eec90aa804eff0

          SHA512

          6e7986c69994d9d2a491d3235b8e7c0e03427fd34f4b2359e89b2ab516c4768a470f83af38ad7166de98afd094fe6890c6e080b7a179cb4980a95d6dc8e363b9

        • C:\VidYJ\optidevloc.exe

          Filesize

          286KB

          MD5

          60eb3d7edbdaa8fe80ec277048aa279b

          SHA1

          b318c0ad98a3fd0c5ecf0a586cf4adfbf2ecdc99

          SHA256

          2b5e8f234cfc6d0aa9b99806662be61af42a7dc6a2f201490dbbf304a6515775

          SHA512

          1ffcf669cdb430e096b3daf8355634b570eca8cdf910eb56750366459cabd28dc285db05455cee6ddb5d50fe2f6b52648f5cb81d0b5f390c7c0cc56ff0603b59

        • C:\VidYJ\optidevloc.exe

          Filesize

          210KB

          MD5

          37796c341a61a2d0082260c8cbe3c4fd

          SHA1

          008d12b7ebbf1ab9b89f8cfa3fc485ecd8cc8b0f

          SHA256

          515d806bea2abc3a2dd54fd8145c9ff0dd0fe756c55175300e8daf8c0733c208

          SHA512

          4f0a110288befc8304b62db4a7dc009fb3604b4470e3ab6bea21c322d967232043984df302c6e2025117478853fb957b5625fbe046b50adb15e5fba42851a33d