Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
Resource
win10v2004-20241007-en
General
-
Target
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
-
Size
4.1MB
-
MD5
ddd71148549b197fce05d66ec84290ef
-
SHA1
3018bf432e92a1bed6ead13c2bda44ee933de2c2
-
SHA256
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8
-
SHA512
82e0812e2cd9868f241d08f0177ecd8f5fe052708cdf2637381772563b874c398854f07e255f50dc5cb518cfe07ea8d499f736240cdc5300fe428d048506626a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8b6LNXJqI20tJ:sxX7QnxrloE5dpUpgbVz8eLFczU
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe -
Executes dropped EXE 2 IoCs
pid Process 2868 sysdevbod.exe 4824 aoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWM\\aoptiloc.exe" 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidYJ\\optidevloc.exe" 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe 2868 sysdevbod.exe 2868 sysdevbod.exe 4824 aoptiloc.exe 4824 aoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1388 wrote to memory of 2868 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 86 PID 1388 wrote to memory of 2868 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 86 PID 1388 wrote to memory of 2868 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 86 PID 1388 wrote to memory of 4824 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 89 PID 1388 wrote to memory of 4824 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 89 PID 1388 wrote to memory of 4824 1388 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe"C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\SysDrvWM\aoptiloc.exeC:\SysDrvWM\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5b837ba0f90aff5fa648c83912a9998d9
SHA1a2db36d51b24a28b8ecc67ccfcfaabfc60244ece
SHA256bd313dc420f5bebf3624f48bcd1b91baeba5bf41b2eeed0011ec20226a411331
SHA512fa1f7b6e3caec7698366ee9ab57fd08ea192926cd712ebfde8739f84a2d0a3f72db284527e340f07d350977df8c81e47e77362ee2e58b8fad0aa6ea8affec1eb
-
Filesize
206B
MD5cd094fd4ee254073bb4148725ffb1229
SHA1c91f76dd5c6f1432c552667c85e3fbf0f0667abb
SHA256970c7698d3eede8c2799eea41a186663b8a799107647afb3c31549ead7b2a735
SHA5128740bb174085c872e3d622601490700c32831cb27bd3c261e121e0469bdc0042b6d71e78aac5481a0ec86e3f4315b78d8bb91139e2d295bd377d44f5a032218c
-
Filesize
174B
MD59626b64b3f90693ab73e843524d293e8
SHA15c3b51f73de4c72391841e397825553b97757a43
SHA256cf839f5672963a418d9f4be3b847a4bd1604dd9ea972d70bff9baedfb5b1e890
SHA5125cb194905702118e5a831d13a154688383aba2e6abb2e16934b31473dbc733b53a292d9340cd7992def587d12e4e72883be16d8c4e3213840226c9e3df6ebde1
-
Filesize
4.1MB
MD587bb1ec6f8a29fc371bf13b3d91f0a95
SHA16e8c3f1456421a72c52efb2bdd0be56618f0824c
SHA256169aa23a61496fbc8a43186c445909bdc64d726ad45ec25f54eec90aa804eff0
SHA5126e7986c69994d9d2a491d3235b8e7c0e03427fd34f4b2359e89b2ab516c4768a470f83af38ad7166de98afd094fe6890c6e080b7a179cb4980a95d6dc8e363b9
-
Filesize
286KB
MD560eb3d7edbdaa8fe80ec277048aa279b
SHA1b318c0ad98a3fd0c5ecf0a586cf4adfbf2ecdc99
SHA2562b5e8f234cfc6d0aa9b99806662be61af42a7dc6a2f201490dbbf304a6515775
SHA5121ffcf669cdb430e096b3daf8355634b570eca8cdf910eb56750366459cabd28dc285db05455cee6ddb5d50fe2f6b52648f5cb81d0b5f390c7c0cc56ff0603b59
-
Filesize
210KB
MD537796c341a61a2d0082260c8cbe3c4fd
SHA1008d12b7ebbf1ab9b89f8cfa3fc485ecd8cc8b0f
SHA256515d806bea2abc3a2dd54fd8145c9ff0dd0fe756c55175300e8daf8c0733c208
SHA5124f0a110288befc8304b62db4a7dc009fb3604b4470e3ab6bea21c322d967232043984df302c6e2025117478853fb957b5625fbe046b50adb15e5fba42851a33d