fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7b

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe
Size

2.6MB
MD5

98013574229a9724ade761c27db8f720
SHA1

229eba8df7fc4e05aff1c02c78bb1395dee8cd48
SHA256

fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7b
SHA512

0606d12be7bdd56d951797f57e07e8a9ec38b5262edd05d884628fb71e96caebe8efa57b32914e86dd4d2ffdd774aa40e3d8b15671245abaa293a9072697b4f4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	locxdob.exe
4760	aoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLP\\aoptiec.exe"	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFC\\optialoc.exe"	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe
4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe
4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe
4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe
3056	locxdob.exe
3056	locxdob.exe
4760	aoptiec.exe
4760	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 3056	4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe	89
PID 4312 wrote to memory of 3056	4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe	89
PID 4312 wrote to memory of 3056	4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe	89
PID 4312 wrote to memory of 4760	4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe	92
PID 4312 wrote to memory of 4760	4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe	92
PID 4312 wrote to memory of 4760	4312	fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe	92

C:\Users\Admin\AppData\Local\Temp\fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe
"C:\Users\Admin\AppData\Local\Temp\fb41f6a7b0014d1c1ce29e3d994a3bfc4796dd2139495723f4ae6c4a1fc82f7bN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\FilesLP\aoptiec.exe
  C:\FilesLP\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLP\aoptiec.exe

Filesize
2.6MB

MD5
b0bf458828a0cbcc01f37e2ffc2e7e8b

SHA1
6a44bd9730402c4ebba7d7adef9e167f4d290ccc

SHA256
a2ed157941ddd8b5f8ad8f9299f75058bc87ab7dbb0d989a5928dafa6adf8f15

SHA512
0a1db696444e4b82c7708c4d6676a5465969b766afdd6545bad0e8f6d80666a52e1cde787ba1493d4613836dfe941005add043782add685b4c6326d37ed63f66

Download Submit
C:\KaVBFC\optialoc.exe

Filesize
2.6MB

MD5
379572978e4d7fbc2b697d615f5a9414

SHA1
e3dbff49e848b6acd50e41d4b3597609fad406fd

SHA256
67534d829c651f85b487c2639a52ca876a32dc905d3201d68b8670982b8cbc55

SHA512
da51edc41e7fb33e5310b5b2adef4f3cdf5ec9c9ea054a5b82a3e76ff836bf1db73055a8250e31ade5dae5308290bfa950b5126807691263f0ba67744b2ca99c

Download Submit
C:\KaVBFC\optialoc.exe

Filesize
2.6MB

MD5
6f9cce2556cbf566199155973a414ed3

SHA1
8b80ca22d2a64f54b2db9a7db505190656b0631e

SHA256
1dab2f581ec11d12f049ec1779559ee7e94b6deac0d1b8ef955ee01521e8527f

SHA512
2c490f3002ac01cc12ed5b359e997b0d26aa95c1ef084cb0fe54e9d0f64db8568140a478ef01ba03683ddb30a83c1d161a43a59020b4805cd7aac6ccc01fa5d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b82fbc0bb660c0ed3400a39120e5ab36

SHA1
8505638b8fd345d76a1feca0e5e840a7436c0e74

SHA256
54db3406ca61f225f05ba9404f032e7c3b3522cfde4700e222e419e29fdcea35

SHA512
3663662f1a61f67648b5587f5bc672883bc7df0a3909b17b8323db9afd470e3d99dcd0d65dc5d75e04b6c8fd1d83b6e756e93316728b623cf32f918d442cf1e6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
aa3f16674f48107bfb82601a00466419

SHA1
74928858aa9f2b4d3774de5de2ae1fd78c2d315a

SHA256
dab8a10a8d0e6dc07a4b5ddab897f0225825bb08da1b01b2a43dd3e14730b293

SHA512
f876cb95bb53038add7a174b9f455d1aa60b88138bd74d72947c983f01b7b79603d4043826b93f800779df4319ffff6cabbba755c1fe92a17195df4622ded479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
5daf79f1734833d5080954478d5cb047

SHA1
45c6d66ddd5937918b2b21bc6adcaeccdc463ec9

SHA256
cf3b1f1ffa085720a59f567bf95fd9619e3f72cdc9628c15c70c4d02445cb75e

SHA512
4b94404b0929de6ed9ec72660e3371ddd83a13e3697c137d00a4a9251f65a5dceb7c75bcbb0948413950fa21212ddf9c03393901c272b8c0cd52ec884a8edfb3

Download Submit