Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
Resource
win10v2004-20241007-en
General
-
Target
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
-
Size
2.6MB
-
MD5
da11845940bba82434441431461226c3
-
SHA1
1871690ab9f59b0ed5e6bc612daeadea82f9fd03
-
SHA256
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9
-
SHA512
f077761aa3f23263b2ae31ca733a4504cadd5227202c48becebbb33b560336b48d10ad214b5a4b40cb71a5ed8155741f7af7a521cdf590d82108318409c53076
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSm:sxX7QnxrloE5dpUpeb/
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe -
Executes dropped EXE 2 IoCs
pid Process 4960 locxdob.exe 524 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY1\\aoptiec.exe" 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOA\\optiaec.exe" 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe 4960 locxdob.exe 4960 locxdob.exe 524 aoptiec.exe 524 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2172 wrote to memory of 4960 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 86 PID 2172 wrote to memory of 4960 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 86 PID 2172 wrote to memory of 4960 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 86 PID 2172 wrote to memory of 524 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 89 PID 2172 wrote to memory of 524 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 89 PID 2172 wrote to memory of 524 2172 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe"C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4960
-
-
C:\SysDrvY1\aoptiec.exeC:\SysDrvY1\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD55139b167ad5088bb5e3cb3f439674ade
SHA1f6929b7f22e30f06b3e4175e265e5d355d5d7e8a
SHA25695f84b75e91ebc70e17a2183993fd1c1f0607e1c1f2095432283ced08338b05d
SHA5123f566c19f63a417f8e29104ad4f9e08acc4f706160c049eabde3a7274be328615d3ec266040e90c9bee8e28a498a05c430907c81eb2d44e018a3cbff1d1a4383
-
Filesize
2.6MB
MD50faa932f20913d8928260caef94fc639
SHA1f4cc67c7419c8921a1e665f2b6d92d507ca19697
SHA256e592f26f65c1e901ebe5bd382341676b0eae527e02747db8d663be757d195f44
SHA512ed1420359449c1f52c048b3b9b8f8d37a9f95345a7dccce2bef70cfaa5601144ffded7b5d496c1d114aabbcdd8358e1c3ac8ecc1c248512f6cc5f5c4b7afcc5f
-
Filesize
2.6MB
MD58e566bdacfaca0d5180e72f2d342116b
SHA173ecfde21bcd48c5f09f675bfe90bc9edc27f096
SHA256b87bd6ad81a1df1bf17d5fe5f38e4daa09043118ece64ca2d69056dedba432cf
SHA51287e592a2f89a55d8841159328311fe12639fcdfefeb86dbbcc8ca4ebc83572273d0b85e328d1f2ef680b3896a1d81c38a251616eb25d30b257342e6b2fd58bc8
-
Filesize
201B
MD5d259cd59da211a5963f7c7745cb9033e
SHA17fdb1c2fa136356e711bff75cf69608592c28474
SHA256fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0
SHA512f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51
-
Filesize
169B
MD5395aed0919abbcedad21936d19aacc03
SHA177d75bdf52c71dba2c6c5bb4cefff4a8e1995915
SHA256a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30
SHA512f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af
-
Filesize
2.6MB
MD5787027c502952ec3bc6a4c5ae12c35bf
SHA1216b9bae0618963fce6c80d9972a2ac7156e6904
SHA256b08d5d845a90d2ebd57d82f1025c8a768ada151cfb0a139e44d148acaf9f63ca
SHA512eaa130204b6a583282e380ebdb474c1e134043a987e39a562ff375eeb3b36596efe4c240f27d9c49a1cd4b43dd35db5947c0b47dbcb2355464c3eb3b0213c42e