Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:56

General

  • Target

    47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe

  • Size

    2.6MB

  • MD5

    da11845940bba82434441431461226c3

  • SHA1

    1871690ab9f59b0ed5e6bc612daeadea82f9fd03

  • SHA256

    47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9

  • SHA512

    f077761aa3f23263b2ae31ca733a4504cadd5227202c48becebbb33b560336b48d10ad214b5a4b40cb71a5ed8155741f7af7a521cdf590d82108318409c53076

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSm:sxX7QnxrloE5dpUpeb/

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
    "C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4960
    • C:\SysDrvY1\aoptiec.exe
      C:\SysDrvY1\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:524

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintOA\optiaec.exe

          Filesize

          49KB

          MD5

          5139b167ad5088bb5e3cb3f439674ade

          SHA1

          f6929b7f22e30f06b3e4175e265e5d355d5d7e8a

          SHA256

          95f84b75e91ebc70e17a2183993fd1c1f0607e1c1f2095432283ced08338b05d

          SHA512

          3f566c19f63a417f8e29104ad4f9e08acc4f706160c049eabde3a7274be328615d3ec266040e90c9bee8e28a498a05c430907c81eb2d44e018a3cbff1d1a4383

        • C:\MintOA\optiaec.exe

          Filesize

          2.6MB

          MD5

          0faa932f20913d8928260caef94fc639

          SHA1

          f4cc67c7419c8921a1e665f2b6d92d507ca19697

          SHA256

          e592f26f65c1e901ebe5bd382341676b0eae527e02747db8d663be757d195f44

          SHA512

          ed1420359449c1f52c048b3b9b8f8d37a9f95345a7dccce2bef70cfaa5601144ffded7b5d496c1d114aabbcdd8358e1c3ac8ecc1c248512f6cc5f5c4b7afcc5f

        • C:\SysDrvY1\aoptiec.exe

          Filesize

          2.6MB

          MD5

          8e566bdacfaca0d5180e72f2d342116b

          SHA1

          73ecfde21bcd48c5f09f675bfe90bc9edc27f096

          SHA256

          b87bd6ad81a1df1bf17d5fe5f38e4daa09043118ece64ca2d69056dedba432cf

          SHA512

          87e592a2f89a55d8841159328311fe12639fcdfefeb86dbbcc8ca4ebc83572273d0b85e328d1f2ef680b3896a1d81c38a251616eb25d30b257342e6b2fd58bc8

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          d259cd59da211a5963f7c7745cb9033e

          SHA1

          7fdb1c2fa136356e711bff75cf69608592c28474

          SHA256

          fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0

          SHA512

          f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          395aed0919abbcedad21936d19aacc03

          SHA1

          77d75bdf52c71dba2c6c5bb4cefff4a8e1995915

          SHA256

          a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30

          SHA512

          f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          787027c502952ec3bc6a4c5ae12c35bf

          SHA1

          216b9bae0618963fce6c80d9972a2ac7156e6904

          SHA256

          b08d5d845a90d2ebd57d82f1025c8a768ada151cfb0a139e44d148acaf9f63ca

          SHA512

          eaa130204b6a583282e380ebdb474c1e134043a987e39a562ff375eeb3b36596efe4c240f27d9c49a1cd4b43dd35db5947c0b47dbcb2355464c3eb3b0213c42e