Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:15
Static task
static1
Behavioral task
behavioral1
Sample
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
Resource
win10v2004-20241007-en
General
-
Target
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
-
Size
2.6MB
-
MD5
bc4c0a71addfe6f7740b88d9795c86f0
-
SHA1
f576d9f33c789bc91515a2e5bd44770ad7134d41
-
SHA256
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3
-
SHA512
4f2f047e03ebd4fbc8dd101f8592f7fd887252c39157bc4b9c18db2a7b5ec2a14197a36829d2d3363a6b7b13026b905175574643468148ab656c36321770a355
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpZb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exeaoptiloc.exepid Process 2552 sysadob.exe 2816 aoptiloc.exe -
Loads dropped DLL 2 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exepid Process 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZS\\aoptiloc.exe" b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAE\\dobaec.exe" b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exesysadob.exeaoptiloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exesysadob.exeaoptiloc.exepid Process 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe 2552 sysadob.exe 2816 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exedescription pid Process procid_target PID 2540 wrote to memory of 2552 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 29 PID 2540 wrote to memory of 2552 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 29 PID 2540 wrote to memory of 2552 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 29 PID 2540 wrote to memory of 2552 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 29 PID 2540 wrote to memory of 2816 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 30 PID 2540 wrote to memory of 2816 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 30 PID 2540 wrote to memory of 2816 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 30 PID 2540 wrote to memory of 2816 2540 b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe"C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\FilesZS\aoptiloc.exeC:\FilesZS\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f6a6da1ee10d407961de6dae3c567f92
SHA169747dabbc830fc934899d2f217cb5e1161ded3e
SHA2566b2f8c6d6392c9fa6e25364a1db2f72238e76ad9a050ea7ddf6e735773a3cd2c
SHA512c84e470de7b77d9fc4598c342ca11938fb4169df7b92ac687922b42d8310317eab2d4ee549d5aa40c301ca8e88368c79e35c9b36cf40396b57209b1e80b461eb
-
Filesize
2.6MB
MD500c4f0df4b227cc7266986a17dba423f
SHA1072e0d165891e4ad54f3e87dde1b1598365abf2c
SHA256be8c803c36847fc90b436a44d83c897e5a2d22d7d098db593ca9dac043e4fcbb
SHA512796038910aea8e7e2208b7472a64ea886c6a709cd424e726c0e4c506b55fa938ffa5caefc9e3d3115e01b6e5ac16c20fd7a09198b465668aae6086cab8b7a1bd
-
Filesize
2.6MB
MD5ad8cd1de15b4a888ac04a22c14b67a7a
SHA117a04b96d5a33380542549d46f70a4c1502bb376
SHA256b8a269491a60c2c60de54ca8b2af2801b7545849d30213592d5886547fcc3e52
SHA51279e650603f997dc90f26ce0e70ab4dcfbae38b7f265c8d86e56af7c943b0625ddbf3e3c798d94d833dad4b10eaafcda1bfc805bd20d160c6735ed56f429337a2
-
Filesize
168B
MD59e31f4044e3a7375276bc2fd0970ea0b
SHA182c258c503e4cdef9a7f0ed5f7910a22a7093000
SHA25677eab2ac6682f12a8724138d15e914f6a7679f21488200cc5f6c9e279c8e6f19
SHA512aaec9160ff3df04e7478743df4089591749ea2a643a7b62ee2a95a401b7ce0f01090004b8396ae8c5f261c7bbaeaac61500f08be1899565716501bf27e7db370
-
Filesize
200B
MD5565a3f1561d34ab300e1a368c56049e9
SHA1e773d968d88dff49415118bf0d9fd5eedea02428
SHA256c3fed1e32bea6abc68227122382e445617b643bc2f57ac7067789948c01fe4c7
SHA512a8d04403bea2d95cb14849bcf0968d0c9d81a4df4cf86dfeec7faa941761f2df3ce90708526a1b23885fdb04410933ab01c23147a03e41a8ee78cccffc2ddd42
-
Filesize
2.6MB
MD5a824cc775fb2e33438a0fa0d103698ce
SHA1a78a900b6a9e3e30414d071a61ca528bd33b6831
SHA256729ee18e7f3197eec581cc2fc931c4cc4231fea523b0b2fce05203e3a5f8171d
SHA512585f14a0a1b0586490de117f5d127c5cadc40191ade13d4bea45943cc2cdc2f9cc5397d1b8bb2667fca3c5d3c63691e71bb708b5de8e81552b2eff3a761ec0c5