Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:09
Static task
static1
Behavioral task
behavioral1
Sample
3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe
Resource
win10v2004-20241007-en
General
-
Target
3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe
-
Size
2.6MB
-
MD5
203f4c41eb2e8c69a4d33856f1af0c68
-
SHA1
ff754d5ed459f7190f466557c2d5be8b6d919890
-
SHA256
ca5af6f50665a4c1144ceb697f95cfee6eaf1b03a76f21064c36470003d771d6
-
SHA512
6e88038aeff2497207cf1fdaff0f033eff9f5db5c022668e590ee34ecd3153a8a014cb197c6c2198ba88b8e85fbc286c8aa02f746a71efaacd66db6c2aeb247a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqF:sxX7QnxrloE5dpUpfbVF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe -
Executes dropped EXE 2 IoCs
Processes:
locabod.exeaoptisys.exepid Process 2056 locabod.exe 2932 aoptisys.exe -
Loads dropped DLL 2 IoCs
Processes:
3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exepid Process 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2J\\aoptisys.exe" 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1V\\optixec.exe" 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
aoptisys.exe3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exelocabod.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exelocabod.exeaoptisys.exepid Process 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 2056 locabod.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe 2932 aoptisys.exe 2056 locabod.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exedescription pid Process procid_target PID 2360 wrote to memory of 2056 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 31 PID 2360 wrote to memory of 2056 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 31 PID 2360 wrote to memory of 2056 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 31 PID 2360 wrote to memory of 2056 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 31 PID 2360 wrote to memory of 2932 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 32 PID 2360 wrote to memory of 2932 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 32 PID 2360 wrote to memory of 2932 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 32 PID 2360 wrote to memory of 2932 2360 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe"C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\SysDrv2J\aoptisys.exeC:\SysDrv2J\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD541a859b522d7396e1ad37d0d1c9dcd3b
SHA1e9f5fe604ae42bac640b9b7f0b8bfa671be9defc
SHA25605027195ccea46753d93e98bdb54b99995b2523b51beb3bfda1aa8e09a1b0d7e
SHA512291b3ba14a74f8571bcf9cc964d5bf4fee5d8519333f2662e26e5465f0014e763355cf4b2a12bf88acd871f026b550d49881274626a433d6ec329211e5128ba8
-
Filesize
2.6MB
MD5993a5add60c8491dee9679bbbd9c175b
SHA145d2eec8226980602a5b7afd1719390bdc1d615d
SHA256898fc8f546838bfc03dde3b5cd7fd990e118be7c4ba3228b13d265c91176a491
SHA5120b758d23aca3df241a38e331bd4c1db1199f7f96362cedddde9503920136786dd45ecdba08b26ca062d5d60d2dec9c4f2e8d275a8953d04b6aeec516a5a8955b
-
Filesize
2.6MB
MD530d227bffd6aebc404e3e74e3510b5b3
SHA187e089d047f1adc0a2dd7e80f7b42e6eeb723123
SHA25689b702f0e5d209f9c09fd6acf5b97f39816334fb0a1ea83e017135bf17fa2943
SHA5123bbdf6a93a47ce54f2a95bbafb458192aa670b7da4b2566968f2cc5196ff0e44e61469945ded6bbbbb37decfee3a9c868aaafab81e1ce10283384568421fe324
-
Filesize
170B
MD51f984fd0a33175ab72dc11e84c15abf7
SHA17788533226b9d987100bc2801b92ea2347fe6f6d
SHA2560eecbe0503b085b1898e3668969eebcdb51232b9f97feafb9425d3ad308e3d6f
SHA512ea4dcf409ba7a49e1ecea02ba17ca48bdd62b0ae6bc531e2ef95e7db48ff7c6d2a710bd85abfcd0cc63110cffd17bc3bc28dce227ae0120ed221d94448f9b815
-
Filesize
202B
MD509db33ed3167f28ba24747b8a38f3f86
SHA17f550fbc0c31d015f8249f2dafecf16defa48bcd
SHA25632c72b5ec84cab6f074f80769c9979dc20c13e70d4851d152239dffe4e910c80
SHA51213f0a9e96b65c0ddd643a3e7e148ce6e9d3bb490e2e54d4e72641b011166c59db9fa8ef99cda216985de961949038130a5d9d54e2ecde795f7c54f49960a3b5e
-
Filesize
2.6MB
MD59c94533ae032fd646311252353c91daa
SHA1ebf91d45be5a67ffa1903db87dd63a6a92c0034b
SHA256566028637531f5310da6438f38f6120553d9f59434867f6fc744550fb6b14b04
SHA5128d15e8a40ffb3b266bc54c61a7922c38824b576065acefb777df35d91a80b77eea604ac39aa8d3a79c5495def79c1cb08abadd92a6a3107d57f527fb02a2691e