Analysis
-
max time kernel
118s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:02
Static task
static1
Behavioral task
behavioral1
Sample
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe
Resource
win10v2004-20241007-en
General
-
Target
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe
-
Size
2.6MB
-
MD5
dc534873a9ba105945ebf06e192419f0
-
SHA1
b51bda8ba241a8554fadbf7a8613e9f2bf055b89
-
SHA256
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729d
-
SHA512
8aae109d654457002c11c5537d1078a03fe1304a62725830a62326b29aedd5aba70a29b88f67ebbe1a696369698238946b1a8de0e6ce011004c9463e698819fd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bS:sxX7QnxrloE5dpUpZb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2148 ecxdob.exe 1088 aoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVQ\\aoptisys.exe" 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6X\\dobxec.exe" 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe 2148 ecxdob.exe 2148 ecxdob.exe 1088 aoptisys.exe 1088 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3820 wrote to memory of 2148 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 86 PID 3820 wrote to memory of 2148 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 86 PID 3820 wrote to memory of 2148 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 86 PID 3820 wrote to memory of 1088 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 89 PID 3820 wrote to memory of 1088 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 89 PID 3820 wrote to memory of 1088 3820 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe"C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
-
C:\UserDotVQ\aoptisys.exeC:\UserDotVQ\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54b518263202f498f7af5c6619fe49bb3
SHA1db79fb2628061b174d0260c33ddd44226f6a68ba
SHA25609454710f5f1cfed78935b122b403dac84cabc870af3dae7b70bbdbe2638ca3a
SHA512431a00ecf19073fc898b4048bd7f19759da6454e9d42030a4a925bd546ff146eb011e7ffbe384463b91f7290516ced29435b51af4d5e872e4086699b6186b001
-
Filesize
200B
MD548a32d6c46cbdae91007ff6b258ee926
SHA11193bda0a694270e046718e698707e43a2731215
SHA2561e5deff6e23c5670224ac73e516b1f50997708887db2ccb2e05d4cf7ab632344
SHA512e2149d5682e8d429766d06cae9004312aa1072e0ee20c4fa4ecb85941d8c40ddaf6b7f7a4d55ad9ef6329891323d544f423bcbbe3494812048440d5659862072
-
Filesize
168B
MD5f58efc30fa7198ae7901d121359d131d
SHA1ef7a854eaa90538992292d354fba180f57cf46d0
SHA256a403724323d870f9120b28d860f9b29f905e68cfee08bb03119ac40272ba2d1c
SHA5122699ad90d8c4bdf0f40a70e893f694c9b7adc72513f20e39f78371169c2d50e3ab2a844a85241e500e3a40eb186e4f307712fe08387dcddac818332157b6c958
-
Filesize
2.6MB
MD5a2a581db026de8ce1166289fc261d645
SHA17ce634202504c4ef0982b7bd2b6285c50e6f8c42
SHA256796f6d70eafd68abb4dc07903534361ce2022b73010e856f92ff192550a72f0a
SHA512783acf2ab32d43495d8fc8188520bbb37e01563c715423d59c98adb9a1fa077a7f5d91f5ab2f936cf7ef37929afb6779db2cb0b7193397dd892fa150b5950055
-
Filesize
31KB
MD5572f2f89fa83cd0e724756eb089249da
SHA1cbfdd4e1e893e9f876d46a79247f38ade618a89b
SHA256cf6be1e16babe319685181c0bc39e48b663392fba1475e11b83d9b9b772a2f54
SHA51216d7748321e538202b878a175d219dd117f409a88d9ea0f79d0f873a9872b9c287f5166a26419d18ca54609ccd763dbef4b000816d7a243b0822fd78adb35950
-
Filesize
2.6MB
MD5c9556a756eb2979a539c7a3389df8db5
SHA1c7f3052341b162c945d112a1d85f94e0596b4d0e
SHA2566ce36fcd53b50604507da6f65f2b2b08ffefefa43f9c5091ab631d3e8c68cb2c
SHA512a23f7b8cadf569031aee70f6356f49ccef19c3be2682bcb59b34201a268b4d391eda95ee98fcd3e2852c797fde8ef67ae9568814848427cf4e01ac5c0b5196f4