Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:38
Static task
static1
Behavioral task
behavioral1
Sample
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
Resource
win10v2004-20241007-en
General
-
Target
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
-
Size
2.6MB
-
MD5
37456cc11ecdb190fe3a6a3f53c61860
-
SHA1
f2f5eca5d60f67a17277a8e2b8c929041f3eb031
-
SHA256
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17
-
SHA512
80fd964ee3dbe341d7c71c08cb629f3b407375e5d9e5fb1e65dbfa78fb2935ae3dba2774703624aee6210bfeca475161e6b623fc1329b18dc26a5c6923f2ef34
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe -
Executes dropped EXE 2 IoCs
pid Process 1684 locaopti.exe 4512 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvH2\\aoptiec.exe" eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1Y\\dobdevloc.exe" eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe 1684 locaopti.exe 1684 locaopti.exe 4512 aoptiec.exe 4512 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 540 wrote to memory of 1684 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 87 PID 540 wrote to memory of 1684 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 87 PID 540 wrote to memory of 1684 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 87 PID 540 wrote to memory of 4512 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 90 PID 540 wrote to memory of 4512 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 90 PID 540 wrote to memory of 4512 540 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe"C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1684
-
-
C:\SysDrvH2\aoptiec.exeC:\SysDrvH2\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5bf18616e104829efff1d8e2c35b3a4bd
SHA14d829b6b2b80c19067b17df0caa3fdecac1c9c3d
SHA256af92f097675856db675954f7bcbb1906b2da8164292990b50c5f36880da6882c
SHA512452b6a2c217087af6ee2b270f724b9d5252742327f2b258135bd93ab7e4499685139f7c4f6c423deba4a5d651b144375dc60fe9d2d71f38ba0868ac7051626d1
-
Filesize
2.6MB
MD500208e88d6955d91d17f6e97df488e43
SHA1548faa67fb60c2067db784fd418b3e136758e109
SHA25664eaf30d08b4d0342db0c13ca79045a00c8224ecea1a66e89223265b36876420
SHA51236b70e0de7fa6e51feb060d5f5313e42b119193f21f76d9443a6ac5945c7c60596d7254eee48dc7395918de3c4e90e2d3a1a6bf1b78058047e09956329d35686
-
Filesize
2.6MB
MD5311484c157ed889ca934da045471137f
SHA1f68b4121402c1e46020948ac0e352bc6e4638ab0
SHA2563660c1bf4c111840f73669f916d786f2ff4889b49f45de3660ecac7d046dc5ce
SHA5123c9dd5a8d977537edc0081c934f97ea85f7f4d49e23424d6fd27624845b51cebb96e3d07a9b53cd76f9b2d3b34516f13ed42f05b7ff2d21d5f93cbc83a098306
-
Filesize
204B
MD5497a50ef7c562d5e05c154111e96c622
SHA12d901cf395c5b286324a45b3ab779f4abcd1e7f4
SHA256c569f8031dfb23d334c7b8b4aca6c219e667205bd635ec0582d13d964501326e
SHA512b26d1adbb9388518ae9c4bcb9b110cf26b0cd544b7dde6d1e8e5ec6097b40fbb8a4e41608fda426173e988ce91e4fa0ab9132613ca399949546c16afae658cc4
-
Filesize
172B
MD5f1ac41a33e426b02e4b9e4db7572f27d
SHA15916a71cb527373840d4157d91f1f0bef9812866
SHA256aa0d6bb777f7ac5347a8f34274bc846bbd2f047e218c380ee42aefa83c202d99
SHA512010bd2fe9409772b5956f94817847b64080e9ea435d8888060df34a0c6c819fef50a520bae4ebcdd5aba36969b9ba32dd08c64bf0245d256f148f50323b92439
-
Filesize
2.6MB
MD5cfddba53f639db007007cf895687c640
SHA1fe8dfbffe2ad99c7e2de9898fee56cf332542307
SHA2566daf0d368f1bde57c5ede9d998837d1bcb35504a15bab953980c57cf13fe4e5e
SHA5125d9abe8b978169fe0ea49613b3e140519a5a57e0ca45ab7eee207e3462a0073cde1114179665ed1a7002023d73f0ff9d21ffc931727592e88c5cdcf77973d52a