Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:21

General

  • Target

    f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe

  • Size

    2.6MB

  • MD5

    b02acf8834d13c489e9d68c88e408a00

  • SHA1

    1138f824f9ea808c7c7456c09168672f04a6a07a

  • SHA256

    f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59

  • SHA512

    6dd195588b647e254b454d6017c20c22177e912fbe7280fd0638dac9496ecbe323c90b64577f1879634d1ae75493326636a2ddd74f33dd6a00a1e22d6e56bb89

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpDb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
    "C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2524
    • C:\SysDrvY1\aoptiec.exe
      C:\SysDrvY1\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4764

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintOA\optiaec.exe

          Filesize

          16KB

          MD5

          7194af4ca8b5784e038c373119d798e5

          SHA1

          9c114add88126c1358d7020ca7697c5b0528ea2d

          SHA256

          f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050

          SHA512

          dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992

        • C:\MintOA\optiaec.exe

          Filesize

          2.6MB

          MD5

          f1532f6d4577f6c53a5b165b06d12fbe

          SHA1

          f3c0c35d06ed9298996e1b5fb93d43354c4eaac5

          SHA256

          4e1e07606d8cb72bb98ed4392c64962ac7fa5f0e029d7daf06a60a7b44d8fdb3

          SHA512

          10934786bb2fb62e6c0c40a4b81f18acd3d993fae996b7a3f2a67ac108971e6e288d47e4146e8baecdb87e7a9be5275022879d44403e750d83abe02c73d85043

        • C:\SysDrvY1\aoptiec.exe

          Filesize

          15KB

          MD5

          baebd565738a73b1785d23f85b9b1880

          SHA1

          3e776227196d9cbee3a9edf120876f20e6af105e

          SHA256

          d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7

          SHA512

          3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0

        • C:\SysDrvY1\aoptiec.exe

          Filesize

          2.6MB

          MD5

          63500340a71f9a11b60ec273155857aa

          SHA1

          c10f4d8b64900a0a3c1513a0d704eca7dca02ccb

          SHA256

          384150a36cd9cdae9137632bd6df57ee2933342a01746e2f51b45c165586be62

          SHA512

          442a22fca97b7a23364bb31d68cd14b1169ad42e24d5f9e5eae933fc1584206b7772089f2adc8acd0dac30e4813cae8356188e3094ab6d86d324a5834a7b3720

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          d259cd59da211a5963f7c7745cb9033e

          SHA1

          7fdb1c2fa136356e711bff75cf69608592c28474

          SHA256

          fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0

          SHA512

          f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          395aed0919abbcedad21936d19aacc03

          SHA1

          77d75bdf52c71dba2c6c5bb4cefff4a8e1995915

          SHA256

          a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30

          SHA512

          f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          b0db2fc4c001e1678b8463652484550e

          SHA1

          327afef2fe550e9ce3109d435614e65c4c03c932

          SHA256

          0543244fabbd49892985f4b4a84b8e767a2605fb057cc9544959ba25ca61ad75

          SHA512

          d6efc49f9e417fb829705cba251062679ed2bf7b049dfc642c42f3562e6361f61bf94354f2dad43ded771bf3f4677a5e50ed1077186a6399748bdb4b486b07f9