Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
Resource
win10v2004-20241007-en
General
-
Target
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
-
Size
2.6MB
-
MD5
c43d5f34536775004db54a33cfd82f6c
-
SHA1
f2aa967ee3bfe10a7568bf653ba0f5d5cd3c9466
-
SHA256
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8
-
SHA512
0a7ba5f9cc094d03f531383809ca9bd77ca1402846d352cf62ec7ef1f5b0bcef664f2b02acfc025183a3fa9b099f1628893ea8b6964f7ba5e5c2e4623ba3c375
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS2:sxX7QnxrloE5dpUpDbf
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe -
Executes dropped EXE 2 IoCs
pid Process 2460 sysxdob.exe 1432 aoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2K\\bodasys.exe" 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotIP\\aoptiloc.exe" 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe 2460 sysxdob.exe 2460 sysxdob.exe 1432 aoptiloc.exe 1432 aoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2460 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 86 PID 2648 wrote to memory of 2460 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 86 PID 2648 wrote to memory of 2460 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 86 PID 2648 wrote to memory of 1432 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 89 PID 2648 wrote to memory of 1432 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 89 PID 2648 wrote to memory of 1432 2648 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe"C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
C:\UserDotIP\aoptiloc.exeC:\UserDotIP\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5b612536a69426c62f07a81d28343052a
SHA1c8ddf174d82c2872ec7e36e7796ab4237b063b77
SHA256201bf89286f5f1250edb9c59d040cfe8ea65588992d4a67d7fe63c78fb921959
SHA51226b709a53db7e3e02dde2cd9338edcac9d67aa2212bb9f096be01f48a7e30d9a6788fc4915bb6d30e2a88b5cbc6fa86e85d9bfb1c0de9d078f09faf107643f22
-
Filesize
7KB
MD5ec404dc607a7bce365c371372c732d22
SHA14d3414b75d79d8d911c3947e95add02806762e93
SHA2568f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2
SHA51225f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a
-
Filesize
2.6MB
MD5f2765a5246afb6d56fa8ce37dd894523
SHA1b5b9aa1b3606a0ee557dee98efd21bd4ea9571d1
SHA25631fed3db65d3ee8e83f210900bc39671f9938763fa3f35741302a52527b7cae2
SHA5121b133fcd4bbf5722c94710f4c3382bb793f37f958ba1632e8dc17b86475b2fa880747f9678894a95ab819805f276533af55ef6da46c734c5e0f1a40588b586c1
-
Filesize
203B
MD504feaa1d4f81483c9a2f5482753019af
SHA1e1c3a09f0480eeeb31de4ed99ffffc742431227c
SHA2561382d4d1bf168cdff0146fc604ac88135c8014d3f41caa2aa4a6feca19a902a1
SHA512554815da60b126a8784ad2d042d5a9aab7e9678d5e2f6b79e0abfba213d2b465ea424c7bf7da1d53af004e0ed14d5a990cd851472dbbdf2d5eee38f2ae0870e6
-
Filesize
171B
MD569a183cff34416725afbc7d921438a47
SHA1f9d1ef1277f79192dd16fb501ecde4a27f39f29d
SHA25639151a714e0e211945e7915c76f29399d378472fae6bfd6daee304915ac63519
SHA51225bebb3b3adf2274379ed0d0ea1390e6506de25160e5091129691b168b4bf65602f3faaa0016cf2eb32e686c61b7882c2c0fae57386fe2485df5fa3f68c0dc4c
-
Filesize
2.6MB
MD51868be1e930162b4549fb2347ba53ee2
SHA1860d3434c512efeefddc95e1e71fdd7915d6658c
SHA256f9638cd0ae18341e617c205f1e820947330437165cc1eecb975f9606549a7660
SHA5123deefad36469a80e013d1dac7a64a1234f4c0c5b764b3ee7c803da3f89982fda9f9e84b738c6f829d1fdd9a67394587d3b6559dfffa50a8b96547511be6b93c0