Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:14

General

  • Target

    234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe

  • Size

    3.0MB

  • MD5

    9093c5110a16d657b27769dc999c0ee0

  • SHA1

    510e01898403115261b241c61b013510ee5f8a49

  • SHA256

    234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231

  • SHA512

    14d5141c85dbabc6cb95a49c5a6ec659ad8281e2c6f445afcc11f91daab2b7d6037a4ec8910aafdbb85eb0bf76e09377bbaa6c2e0d3c6400d0d912bb93d0dafd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX:sxX7QnxrloE5dpUpPbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe
    "C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2324
    • C:\Intelproc4O\aoptisys.exe
      C:\Intelproc4O\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc4O\aoptisys.exe

    Filesize

    3.0MB

    MD5

    87e346237030a0115186712de1ba55e8

    SHA1

    c6ab7c5c52cc1a51630bcb97b133fe0801488f04

    SHA256

    a77faf4bf001251584028ea5d70989fec2a40d4391b807108a4064c7b64a4f71

    SHA512

    035d89c9009baa20058f4e72d52d8b5fde4d9888f3cf6dd874c5e881964a26a12b1007961f002113db70d28558cbf9682ee5d77e6174f986cee23ac6781bd85d

  • C:\MintLN\dobxec.exe

    Filesize

    160KB

    MD5

    726955c1a69f16ff4499befc01a68488

    SHA1

    9ceffa1fc28c8054de0e62e6fbd85eec608921e7

    SHA256

    b2b22e3bde5c7864de709919b5abcf6a1f2d46b2920e614a643eeb286f9d991f

    SHA512

    ddea6afcdad889fc3545b027b417b09c01da954ffacaaa72691fb09570fd9c6f7d8019711c6e0af12ba9a57df659f97f7fdac9647a88f09375a5ecb44818ca5f

  • C:\MintLN\dobxec.exe

    Filesize

    3.0MB

    MD5

    b2d77a3e7b154ddf5ca51c28a6701623

    SHA1

    f595d154a6fd7e7227edd829b5e8d0c4fa26ed7c

    SHA256

    43ccd4eaa5386e73301d86d31810ee29f4bd56a2c5110592a29e3631ced64400

    SHA512

    9eece8a337d9d77b64a64f1a09a5e72d45825171f7d43eff147c697cfa4a30ec9f6d1020d8d453d42cb96a3cd790ee8b31bd315d7a09d6c1a41fbfa7589cbc36

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    17b66f301518c144742b0c5d92e845af

    SHA1

    52528c0fd4f53ac3c01862972607c31cf7e9b8ca

    SHA256

    8e96d90b586a3fa8bda8c3241dd7e75494050bc0d830f6964e1b32a375fd7dce

    SHA512

    1cdf95c54b1746f1667aa8dae444edad1a208c6e382adea3ce82a44e015f772ff113ac9deec92c068f3c96e94bd35b425d167f3e59127a3c3b444af2a70bc120

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    e8df3cc577cbc5306cbf144ab06996f9

    SHA1

    84667810530a560d8365cb778279d9b72d87e5d2

    SHA256

    5956528b155623df5934d023c1963229db5c706432d9fc4cfc1258c9b4a7d69e

    SHA512

    693f688b1cc222133f1281b0b1fcc2a253e550232ca494ae6a4b5ba6e5eb9ff52eda5eb76a07d8fea85b3b90c9ffdb5422bc99c1319a1e1df8475ff92b9b9e9c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    3.0MB

    MD5

    4da0908e8e159d0b66df3869113d9193

    SHA1

    7195c4730e4d18f83f4fe61af66eb9654d8d8c2f

    SHA256

    2fe93daab84dd656dc6633a0a6ca1021406ddcde439c59a8a1eb05d3ae9134cd

    SHA512

    1b26588bdab01e76b62e4d53ea917c37e853347e24684c04a5a422b9eb26bdac3dfd69915c19818154f1017b622c0e0753aa2a58e46a754652ffafc3bfcf208c