Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:38

General

  • Target

    eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe

  • Size

    2.6MB

  • MD5

    37456cc11ecdb190fe3a6a3f53c61860

  • SHA1

    f2f5eca5d60f67a17277a8e2b8c929041f3eb031

  • SHA256

    eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17

  • SHA512

    80fd964ee3dbe341d7c71c08cb629f3b407375e5d9e5fb1e65dbfa78fb2935ae3dba2774703624aee6210bfeca475161e6b623fc1329b18dc26a5c6923f2ef34

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
    "C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1684
    • C:\SysDrvH2\aoptiec.exe
      C:\SysDrvH2\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4512

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB1Y\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          bf18616e104829efff1d8e2c35b3a4bd

          SHA1

          4d829b6b2b80c19067b17df0caa3fdecac1c9c3d

          SHA256

          af92f097675856db675954f7bcbb1906b2da8164292990b50c5f36880da6882c

          SHA512

          452b6a2c217087af6ee2b270f724b9d5252742327f2b258135bd93ab7e4499685139f7c4f6c423deba4a5d651b144375dc60fe9d2d71f38ba0868ac7051626d1

        • C:\KaVB1Y\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          00208e88d6955d91d17f6e97df488e43

          SHA1

          548faa67fb60c2067db784fd418b3e136758e109

          SHA256

          64eaf30d08b4d0342db0c13ca79045a00c8224ecea1a66e89223265b36876420

          SHA512

          36b70e0de7fa6e51feb060d5f5313e42b119193f21f76d9443a6ac5945c7c60596d7254eee48dc7395918de3c4e90e2d3a1a6bf1b78058047e09956329d35686

        • C:\SysDrvH2\aoptiec.exe

          Filesize

          2.6MB

          MD5

          311484c157ed889ca934da045471137f

          SHA1

          f68b4121402c1e46020948ac0e352bc6e4638ab0

          SHA256

          3660c1bf4c111840f73669f916d786f2ff4889b49f45de3660ecac7d046dc5ce

          SHA512

          3c9dd5a8d977537edc0081c934f97ea85f7f4d49e23424d6fd27624845b51cebb96e3d07a9b53cd76f9b2d3b34516f13ed42f05b7ff2d21d5f93cbc83a098306

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          497a50ef7c562d5e05c154111e96c622

          SHA1

          2d901cf395c5b286324a45b3ab779f4abcd1e7f4

          SHA256

          c569f8031dfb23d334c7b8b4aca6c219e667205bd635ec0582d13d964501326e

          SHA512

          b26d1adbb9388518ae9c4bcb9b110cf26b0cd544b7dde6d1e8e5ec6097b40fbb8a4e41608fda426173e988ce91e4fa0ab9132613ca399949546c16afae658cc4

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          f1ac41a33e426b02e4b9e4db7572f27d

          SHA1

          5916a71cb527373840d4157d91f1f0bef9812866

          SHA256

          aa0d6bb777f7ac5347a8f34274bc846bbd2f047e218c380ee42aefa83c202d99

          SHA512

          010bd2fe9409772b5956f94817847b64080e9ea435d8888060df34a0c6c819fef50a520bae4ebcdd5aba36969b9ba32dd08c64bf0245d256f148f50323b92439

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

          Filesize

          2.6MB

          MD5

          cfddba53f639db007007cf895687c640

          SHA1

          fe8dfbffe2ad99c7e2de9898fee56cf332542307

          SHA256

          6daf0d368f1bde57c5ede9d998837d1bcb35504a15bab953980c57cf13fe4e5e

          SHA512

          5d9abe8b978169fe0ea49613b3e140519a5a57e0ca45ab7eee207e3462a0073cde1114179665ed1a7002023d73f0ff9d21ffc931727592e88c5cdcf77973d52a