Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:53

General

  • Target

    86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe

  • Size

    2.6MB

  • MD5

    381cbfd3729a00cd95acba28f39ce3d2

  • SHA1

    de0c2044f6eb1bed4b82d1eed9d0b81133ebb5d9

  • SHA256

    86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2

  • SHA512

    af776a9343b3c0a8cf8898a0916b5cdedf47d6e9b7f7ceec269427e6619ca12aee9784576c27078af2c0c89031b8d425e136b0f4d3b01e201e78c5484c76d5b3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bSq3:sxX7QnxrloE5dpUp4bV3

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe
    "C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3692
    • C:\SysDrv06\aoptisys.exe
      C:\SysDrv06\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintWO\optixsys.exe

    Filesize

    2.6MB

    MD5

    5ee0242c59ac6c6f647cba701302eb90

    SHA1

    432845c980dc4563bee919b4289fbe575c782b3e

    SHA256

    c1d3e2851bad7d96ef870beb154b89f96c31aff05675063609fadbebeb83542c

    SHA512

    5e2293efd0b973f412ab2d22620cba2fbe3a57207c77f1420b1cf9d45298c7bd6660ee4c5ba0d82ab006ca7eaef36e3d97564e0b0543cc2700547d911f5e7384

  • C:\MintWO\optixsys.exe

    Filesize

    2.6MB

    MD5

    69b0c2abcaac6981564fc2eb050d65ab

    SHA1

    4b1c013c60c91d256fc8aaf029e06a78acc4ca48

    SHA256

    769758108b1398743473b3597de04097dd888adfec927c9f9a7ae51e90017f63

    SHA512

    d2f361a5327959dcf1a28c56bfa2911e9ca4c19c93bafb7188af7b5e0b4e39bff90eb33dfa176a75044e8e9bc516279a5c1afeca9c66018a65c202b401315035

  • C:\SysDrv06\aoptisys.exe

    Filesize

    283KB

    MD5

    bc78fad020d6cf8338d6b2a6ae286757

    SHA1

    fe86d7d7d48fe5a9e7b05642a4f23c78d33282a2

    SHA256

    ef48ebcb9e6a347ce2b1e5054b37ff61bc0205c89232108d3a08a436aac044e0

    SHA512

    ca8fe7ca8d34711ee1ac6712722b5ed106bf1b94650c243e4f019d07e2a40fcbec41ff02d5d052da8d1040517dc15c4689ad22a8e8f4e87108807b442aec6b5b

  • C:\SysDrv06\aoptisys.exe

    Filesize

    2.6MB

    MD5

    aaaf500951fd8b5f5cc1bfdbee7d6434

    SHA1

    3696cb2f1034cc2a0f154824f590832a08c817fd

    SHA256

    4235106f05b78c74b7d2e7eeb281c5953a29b62c1787477d1a3514fd52290b24

    SHA512

    fab8c247bca39e2030eb15fa1465e2cd360a00dd58b30c41dc8ed8a4d9ed2c20004476a46398f78bc02b875609762caa2b5a01c437960770278ae1a8202d65ca

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    bf6ceda0b1ed8a76c58ba9ec0d79e726

    SHA1

    e4cb1a2ae26716d719f4dcc90e439fd4d5359f3c

    SHA256

    8663fcac9199fd59a2f33311eecadb42b76f24d88fd3f3b2fb220d571ab9fd9e

    SHA512

    afeedb7a5fba2a15dd3dcb28a9d856b90d679f90640944b457030c7becf0cff465e4361e1bb75b659e22ede2ea562ae458f9ef9d4ba2f46a185b79ec7729ca57

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    e90be7b1713350130b9ff41b3a2c7a0d

    SHA1

    f81541c6023c39c1d445291ca64a8a3fb9ad2037

    SHA256

    ec459313cc598ed34332eb2c36bf078b206d06a281928ea80c6f08af8d41b719

    SHA512

    f029294903257997438e2b092e3bf9c8392812f7694dc6f681495b245f1d5008fb1d797f6390d7aaf00bad6a6c5866611178a60d00b15babf32a4602e38b8717

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    2.6MB

    MD5

    6ef74dd3016d64f515ba4e074dd4d433

    SHA1

    477514f6e566ac581a6569f3ec13574946709c69

    SHA256

    d9b639bbd5a18ac0b6281bee668df202e8dcfc599644c22873aeecd6737552f3

    SHA512

    6ede84138690e4b96e5eb9a8798de094fc2aa7612abcf462e8d39da464f74ab3960592e4712c9c6aebff9cef99abb863090c2623c352b9fcef6fd9b2e8defe6b