Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
Resource
win10v2004-20241007-en
General
-
Target
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
-
Size
2.6MB
-
MD5
20774abcb3137c180673bf29c1e0e420
-
SHA1
e0ea9b3a5c455bea85fa7ce17cd37fd3413e0028
-
SHA256
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4
-
SHA512
962ced127ef0b1447572b45dae015d80e4ad05932b3f15acc57d396b9164c7d27a80bbb09cd41ca68b1b2e87540e010f52aa2d2e96c5344850a365ea4c88925b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSq:sxX7QnxrloE5dpUpKbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe -
Executes dropped EXE 2 IoCs
pid Process 3044 sysdevdob.exe 2092 aoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2H\\aoptiloc.exe" bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMU\\dobxloc.exe" bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe 3044 sysdevdob.exe 2092 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1732 wrote to memory of 3044 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 30 PID 1732 wrote to memory of 3044 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 30 PID 1732 wrote to memory of 3044 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 30 PID 1732 wrote to memory of 3044 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 30 PID 1732 wrote to memory of 2092 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 31 PID 1732 wrote to memory of 2092 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 31 PID 1732 wrote to memory of 2092 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 31 PID 1732 wrote to memory of 2092 1732 bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe"C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3044
-
-
C:\Files2H\aoptiloc.exeC:\Files2H\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a2ff3513095e90a722628a399bc52de7
SHA115fa36f3992927dede566d1082d9432138c0f77f
SHA2560ef2278eb794378a7112af79195449a78f6687ab07b66bc05b36d6ac203ad12a
SHA512f9b60a18c3c8d08e303b77c7a46f1cd28d0a96b98be894e52b45fe5cc19be6088b93ea2670ae9edbade3f02b318c65d90e03cfdb4d8b208e63a80753fc7ea912
-
Filesize
20KB
MD52873fb57ea06e0913c9b5dde7bd73c2d
SHA1c2794b886d0f3c44e805ffe343756fd81b5c87ec
SHA25608bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587
SHA5129db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76
-
Filesize
2.6MB
MD5ab3e71f138bc1692523acd44f8e1e5a9
SHA1990b6c583bfd9e549318cca927d97b4be808225b
SHA256486bc68473880756a8b8df4f256378dffb93f82408aed0d60bacf4551f2950ef
SHA51206f534d086e3d4891e3c00fada936b9f5b6715a4e414ab14c5965dd35752a4f1d62d08e1bcf7819f4fcd91b0b406e23f559b01caab537891d440d9947f0427c5
-
Filesize
172B
MD5f6cd40a5ab3fae93f0b666d54f9b0b62
SHA1bad908badc075a7186b5c3e364064de397ab8061
SHA256394103ea339335d3bee9ba41f3aa41cbd6a7c29cb8fface2723bc22b226d2648
SHA5123f7fa8c22ef9b7a2f244463bc677d3a7399b06edc551e6c42847a834e57d30da54891556ea3d6c6ec31d6b57d6d5c514204d64c178c3c3b4deea5d823ff7d68c
-
Filesize
204B
MD54f4d6572ed5b7523fe8c21082320b3e4
SHA116351888e919e6162c388c8c4a1eadf2e3cdf761
SHA256fc0de4d840172dead85e46c9036ca470c7861cef2f7d8da4fb1693aa550d7e79
SHA5129261eed7769ee27fad6096695349e0b4dc04baa06bbf045cbd7c657bc226d887cc6c524119dcab7b2915fd109d138e441a71687db2e0ade814e19269762f261a
-
Filesize
2.6MB
MD5a1a53fac4810271dfbd7f096006bf81e
SHA138ea8873f0eaeec8a91af58ff2ade27a78a8b140
SHA2564bfba03a5e182b962bd1e76450c9e0cf4a3ba7b914714bae63221fbefe628cb7
SHA512bd6d63207ab527f895bccf15b772b857bceee9e1ccc4045af29d8aabfcfded39ae63a7c5b4f36eed66743c9133e498cb20cf230e0db78e21751b61b9a2673d7e