Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:09

General

  • Target

    3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe

  • Size

    2.6MB

  • MD5

    203f4c41eb2e8c69a4d33856f1af0c68

  • SHA1

    ff754d5ed459f7190f466557c2d5be8b6d919890

  • SHA256

    ca5af6f50665a4c1144ceb697f95cfee6eaf1b03a76f21064c36470003d771d6

  • SHA512

    6e88038aeff2497207cf1fdaff0f033eff9f5db5c022668e590ee34ecd3153a8a014cb197c6c2198ba88b8e85fbc286c8aa02f746a71efaacd66db6c2aeb247a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqF:sxX7QnxrloE5dpUpfbVF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe
    "C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2056
    • C:\SysDrv2J\aoptisys.exe
      C:\SysDrv2J\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVB1V\optixec.exe

    Filesize

    2.6MB

    MD5

    41a859b522d7396e1ad37d0d1c9dcd3b

    SHA1

    e9f5fe604ae42bac640b9b7f0b8bfa671be9defc

    SHA256

    05027195ccea46753d93e98bdb54b99995b2523b51beb3bfda1aa8e09a1b0d7e

    SHA512

    291b3ba14a74f8571bcf9cc964d5bf4fee5d8519333f2662e26e5465f0014e763355cf4b2a12bf88acd871f026b550d49881274626a433d6ec329211e5128ba8

  • C:\KaVB1V\optixec.exe

    Filesize

    2.6MB

    MD5

    993a5add60c8491dee9679bbbd9c175b

    SHA1

    45d2eec8226980602a5b7afd1719390bdc1d615d

    SHA256

    898fc8f546838bfc03dde3b5cd7fd990e118be7c4ba3228b13d265c91176a491

    SHA512

    0b758d23aca3df241a38e331bd4c1db1199f7f96362cedddde9503920136786dd45ecdba08b26ca062d5d60d2dec9c4f2e8d275a8953d04b6aeec516a5a8955b

  • C:\SysDrv2J\aoptisys.exe

    Filesize

    2.6MB

    MD5

    30d227bffd6aebc404e3e74e3510b5b3

    SHA1

    87e089d047f1adc0a2dd7e80f7b42e6eeb723123

    SHA256

    89b702f0e5d209f9c09fd6acf5b97f39816334fb0a1ea83e017135bf17fa2943

    SHA512

    3bbdf6a93a47ce54f2a95bbafb458192aa670b7da4b2566968f2cc5196ff0e44e61469945ded6bbbbb37decfee3a9c868aaafab81e1ce10283384568421fe324

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    1f984fd0a33175ab72dc11e84c15abf7

    SHA1

    7788533226b9d987100bc2801b92ea2347fe6f6d

    SHA256

    0eecbe0503b085b1898e3668969eebcdb51232b9f97feafb9425d3ad308e3d6f

    SHA512

    ea4dcf409ba7a49e1ecea02ba17ca48bdd62b0ae6bc531e2ef95e7db48ff7c6d2a710bd85abfcd0cc63110cffd17bc3bc28dce227ae0120ed221d94448f9b815

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    09db33ed3167f28ba24747b8a38f3f86

    SHA1

    7f550fbc0c31d015f8249f2dafecf16defa48bcd

    SHA256

    32c72b5ec84cab6f074f80769c9979dc20c13e70d4851d152239dffe4e910c80

    SHA512

    13f0a9e96b65c0ddd643a3e7e148ce6e9d3bb490e2e54d4e72641b011166c59db9fa8ef99cda216985de961949038130a5d9d54e2ecde795f7c54f49960a3b5e

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    2.6MB

    MD5

    9c94533ae032fd646311252353c91daa

    SHA1

    ebf91d45be5a67ffa1903db87dd63a6a92c0034b

    SHA256

    566028637531f5310da6438f38f6120553d9f59434867f6fc744550fb6b14b04

    SHA512

    8d15e8a40ffb3b266bc54c61a7922c38824b576065acefb777df35d91a80b77eea604ac39aa8d3a79c5495def79c1cb08abadd92a6a3107d57f527fb02a2691e