Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:12

General

  • Target

    b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe

  • Size

    2.6MB

  • MD5

    8bc258d93c9660e6bab845d73bf1741e

  • SHA1

    b20ae60359f874b72be577665ba9f2c1eef75a12

  • SHA256

    b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580

  • SHA512

    03716287275c54d878f34baedc60e265dd3f37394f175583c2ddf71827e23642d59365414f1617f09ce9a5b4d7649695bdd74f44ede20a3d6ce34deff65e8a9e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSQ:sxX7QnxrloE5dpUpfbP

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe
    "C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2212
    • C:\FilesUL\aoptiec.exe
      C:\FilesUL\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesUL\aoptiec.exe

    Filesize

    254KB

    MD5

    3b2934fc5f72646178e1cfb228f34be3

    SHA1

    8d21c5bb1b5b91d7b2f365a8022a24f8cc11bc0b

    SHA256

    4bd4492b50bcd8fd7e9918a1deec35b27346ddff5e8076cfaf248fa4875a710e

    SHA512

    215d48d0a6f75c488f09a6a13f7016b164abc32174c6a489d06444fc055cd6e43f3036cb332dfa54ada1bb5e3ddb943e1e906e78c4278ddb04db435d52d03eb1

  • C:\FilesUL\aoptiec.exe

    Filesize

    2.6MB

    MD5

    71be9bca5daa3d51d1341d612c6bd167

    SHA1

    fc392c685fabb3863aa438964133b63e9785ed17

    SHA256

    9dd3d742345d9505f1dd763e6d640604edc2336fdeb0e82caf9d6698ebd392e5

    SHA512

    60d8b207d15d3e6e38c729b8bf3aa76195af2f4586a4588ef9339dd5a48a379143e4ed6cd0e23328200ecb7e98145fadc635e322cadc726d0966e948dde4e05a

  • C:\KaVB07\optixloc.exe

    Filesize

    162KB

    MD5

    c61d0ad86e2a3e82cae13263250b420f

    SHA1

    71e6476222b91f9534276eb02d157ef8d5e6f09e

    SHA256

    cd362e7cb93139dfa746d6e36563c4059d21859cfbbdc0666e4e4e05ca8d7b75

    SHA512

    90f98739b69d71b284513f3aac67710f39232834d9bf9f127d23ec94b2fb6e83014be8c1b23d89ae42e9aa25a4aab46f4fba1537ac9297dc9f1e2a9ae624d9cd

  • C:\KaVB07\optixloc.exe

    Filesize

    2.6MB

    MD5

    c65046a9c650b86ea0ebf349a0b2d2a8

    SHA1

    6f56c5320a3d58c809e97d4ec86ff10893ac9170

    SHA256

    a62dace441748002f25ded91fb7906af77eef1676af72ab54849c0683327ea4d

    SHA512

    79d8801507e55936cc244a7a25bf801154e1f2d5f98d57d76ffc57919b7f4f8adc47690664e2de7f95f678d296cfcd1df7c6acb75a01c6e599eb1dfda067a54a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    a83dea9eefd5399f750954ffa4af86c7

    SHA1

    b4a7c4af8ff043b790c654d30d0fd1c87252a7e6

    SHA256

    1b82c6f6ee3b182a8669cbef62166c277c4ceed8a2a03a52b2cc4ef1a5f6c500

    SHA512

    24bb36b352d402a4aab6a962a9b28d2e46ac9feb70665ffeea0b7f86e54fb01b99fe465d4b52f05d2a1c78e005c9df3f0d454ad0616958cc5d624a70ce309bcf

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    6c1a38bb93468b29f2cc8c6b076c21a0

    SHA1

    ea438968973bd2b0e7ad2aacf18e745a1958a72b

    SHA256

    c380ffa4e93d69e4046c307dc1dd271afc60f2c6d72f06d25050706369c2a37f

    SHA512

    42886f3d5e40e1280298c993d3f4a1573314762355ed8a7ed6f0a8fcf7961136628d2f9372149b4791b32e8a5f5df67c6950636a1c6e42c7e0946fab7d78b695

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    2.6MB

    MD5

    28e9e13f4a009efaef520317bb98e4fc

    SHA1

    97532e3fd2900bc7af9ecd2284da638e647f7b92

    SHA256

    333fd3cc804da802b17d2c4724acc184ebf2b3655a477337bacbf8568ea429d0

    SHA512

    fdd21dad9bf469098f29c7618e093722a40dada508b772792a0ebc45c7bcffbdc3481488f5d93bac59fa14b3e8db6376a28751cc4437bb192e8597694c8a0c18