Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 14:09
Static task
static1
Behavioral task
behavioral1
Sample
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
Resource
win10v2004-20241007-en
General
-
Target
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
-
Size
2.6MB
-
MD5
8783f6824ec21bbc49a9b9081cbae892
-
SHA1
85a63c5c1c7a7a14a8c8a090e1e648b1eb770433
-
SHA256
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499
-
SHA512
e59e0b90b56a77f9c206059baebb95ac9cd7eda3c9516fa72b093eb225039604d1c2c998f246e98c7560e8ad25b7506e8b975ca27145435cb4afe2c396d494bc
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSy:sxX7QnxrloE5dpUpvbt
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exeaoptiec.exepid Process 2620 sysadob.exe 4632 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR0\\bodaloc.exe" e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEO\\aoptiec.exe" e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exesysadob.exeaoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exesysadob.exeaoptiec.exepid Process 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe 2620 sysadob.exe 2620 sysadob.exe 4632 aoptiec.exe 4632 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exedescription pid Process procid_target PID 4564 wrote to memory of 2620 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 87 PID 4564 wrote to memory of 2620 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 87 PID 4564 wrote to memory of 2620 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 87 PID 4564 wrote to memory of 4632 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 88 PID 4564 wrote to memory of 4632 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 88 PID 4564 wrote to memory of 4632 4564 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe"C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
-
C:\IntelprocEO\aoptiec.exeC:\IntelprocEO\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56ce45a97733bbe6763252b964cc91f79
SHA1b00dd2850e7884d3105487877c1a421c303673c0
SHA2569c1f967816fdc708bba981ec90558960bcce292a6e74ad899f4e761861689777
SHA5128aaddc0217002cf114b6285dfba1e2117774be73fe08622baed49519255022202c99d6067270006f1453567c5b714d79d35cac8894ef9db187eaa23acc322b96
-
Filesize
203B
MD5c1613dea6b42b88fa54d1db6e7a50a31
SHA1f5db89ab9f3168dc6630e16e523dde738bf48b4d
SHA2561e28fbdae9405765d611a311c9b491f591256a245e062e401ba2abed6e5f6ac5
SHA512ebe743b30df05a4928e42d2e01bd0981b121eec4e743fdef531fc32b9cb370beb1e2b1a869778cfae71dfcae8e0cedf6dd36d09e5d8788eefe01362cf0eb5cf4
-
Filesize
171B
MD554b3f6e9cca19a5852516703391596b6
SHA1c815af9a7af8799cef3e7e92c5a25b3c7b019056
SHA25627b4d1977ae0dabd01b4ff34871cc939819e019d0a23fc8f1f39d7d3453a3cfd
SHA51268e356dd620b3efef0f69ec0438cde28193358eee04ece30bccbbe2a0f454d50d3a91448bec5596bd43cdf0b6662ed70afa4274850a770f707542db09c6b8659
-
Filesize
2.6MB
MD59da79e5abf6f685eeade3c8b008ab144
SHA10a2fb053cf719271a1db789b37950aab10c730dd
SHA256be0546b5e970545604633720785db9ce9a1d5bc8e7b4edfb13ea0daba3485694
SHA512376c3883f67e2649c9508dd5b5130d3e0bf3ce0fc6f088b41bc5f68c93e14aac4bb6ffcaca91c5a4d22b7f9434d0296cb9d8b98d3b725670243fffc58c78ddba
-
Filesize
2.6MB
MD567167edbe9379130277de18ea74d6170
SHA147f2289285c3c35ff15c60a923d76b904c23bc7e
SHA256369a0a7a5e2c74b99c51b43fb0dd9cb7f0cdfc2fc67e35c0065aea29d128418a
SHA51297e043ec6602bcae6d1a0727e5cdb3ae219c4918b569b2c92ce1b04c95d21fe8fa607ed1bffb9544de4a7e88effe1e4b9a3bfee061068712635c713c54ca0763
-
Filesize
2.6MB
MD59a3ebce8a284ff6bb17819c4d73f8313
SHA1e287bb2909283ab208c3d36444f0076bda6f9660
SHA256388546c781f83af433a03a0a0fac9d19929747bf07b6b53d3a07da283595942e
SHA51221456977e3a5941d71228843cccc3e19f3e4d93033a8c6c7d0ca786f4a972f1bba5b7a7b89ed006b6baea8841b5e2b3c5b14d17da1f34ccf8acf81235894356f