Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:14
Static task
static1
Behavioral task
behavioral1
Sample
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe
Resource
win10v2004-20241007-en
General
-
Target
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe
-
Size
3.0MB
-
MD5
9093c5110a16d657b27769dc999c0ee0
-
SHA1
510e01898403115261b241c61b013510ee5f8a49
-
SHA256
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231
-
SHA512
14d5141c85dbabc6cb95a49c5a6ec659ad8281e2c6f445afcc11f91daab2b7d6037a4ec8910aafdbb85eb0bf76e09377bbaa6c2e0d3c6400d0d912bb93d0dafd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX:sxX7QnxrloE5dpUpPbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe -
Executes dropped EXE 2 IoCs
Processes:
locabod.exeaoptisys.exepid Process 2324 locabod.exe 464 aoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4O\\aoptisys.exe" 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLN\\dobxec.exe" 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exelocabod.exeaoptisys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exelocabod.exeaoptisys.exepid Process 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe 2324 locabod.exe 2324 locabod.exe 464 aoptisys.exe 464 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exedescription pid Process procid_target PID 1452 wrote to memory of 2324 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 88 PID 1452 wrote to memory of 2324 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 88 PID 1452 wrote to memory of 2324 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 88 PID 1452 wrote to memory of 464 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 89 PID 1452 wrote to memory of 464 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 89 PID 1452 wrote to memory of 464 1452 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe"C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
C:\Intelproc4O\aoptisys.exeC:\Intelproc4O\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD587e346237030a0115186712de1ba55e8
SHA1c6ab7c5c52cc1a51630bcb97b133fe0801488f04
SHA256a77faf4bf001251584028ea5d70989fec2a40d4391b807108a4064c7b64a4f71
SHA512035d89c9009baa20058f4e72d52d8b5fde4d9888f3cf6dd874c5e881964a26a12b1007961f002113db70d28558cbf9682ee5d77e6174f986cee23ac6781bd85d
-
Filesize
160KB
MD5726955c1a69f16ff4499befc01a68488
SHA19ceffa1fc28c8054de0e62e6fbd85eec608921e7
SHA256b2b22e3bde5c7864de709919b5abcf6a1f2d46b2920e614a643eeb286f9d991f
SHA512ddea6afcdad889fc3545b027b417b09c01da954ffacaaa72691fb09570fd9c6f7d8019711c6e0af12ba9a57df659f97f7fdac9647a88f09375a5ecb44818ca5f
-
Filesize
3.0MB
MD5b2d77a3e7b154ddf5ca51c28a6701623
SHA1f595d154a6fd7e7227edd829b5e8d0c4fa26ed7c
SHA25643ccd4eaa5386e73301d86d31810ee29f4bd56a2c5110592a29e3631ced64400
SHA5129eece8a337d9d77b64a64f1a09a5e72d45825171f7d43eff147c697cfa4a30ec9f6d1020d8d453d42cb96a3cd790ee8b31bd315d7a09d6c1a41fbfa7589cbc36
-
Filesize
204B
MD517b66f301518c144742b0c5d92e845af
SHA152528c0fd4f53ac3c01862972607c31cf7e9b8ca
SHA2568e96d90b586a3fa8bda8c3241dd7e75494050bc0d830f6964e1b32a375fd7dce
SHA5121cdf95c54b1746f1667aa8dae444edad1a208c6e382adea3ce82a44e015f772ff113ac9deec92c068f3c96e94bd35b425d167f3e59127a3c3b444af2a70bc120
-
Filesize
172B
MD5e8df3cc577cbc5306cbf144ab06996f9
SHA184667810530a560d8365cb778279d9b72d87e5d2
SHA2565956528b155623df5934d023c1963229db5c706432d9fc4cfc1258c9b4a7d69e
SHA512693f688b1cc222133f1281b0b1fcc2a253e550232ca494ae6a4b5ba6e5eb9ff52eda5eb76a07d8fea85b3b90c9ffdb5422bc99c1319a1e1df8475ff92b9b9e9c
-
Filesize
3.0MB
MD54da0908e8e159d0b66df3869113d9193
SHA17195c4730e4d18f83f4fe61af66eb9654d8d8c2f
SHA2562fe93daab84dd656dc6633a0a6ca1021406ddcde439c59a8a1eb05d3ae9134cd
SHA5121b26588bdab01e76b62e4d53ea917c37e853347e24684c04a5a422b9eb26bdac3dfd69915c19818154f1017b622c0e0753aa2a58e46a754652ffafc3bfcf208c