04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236f

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe
Size

2.6MB
MD5

abf8d205570232474cf596cb4956c5f0
SHA1

607868ddc4fc8fb5bb8e40ffe433f07c6900c98b
SHA256

04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236f
SHA512

f97fa691dcf07fc422548c030cda8faa9838146801afe7ca838860c657014c3d9a5928f8f1e9d1592a352755f2850bbb149e977fde9f82db7124dfee1060a475
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUp9b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe

Executes dropped EXE 2 IoCs

pid	Process
2920	locxdob.exe
4244	aoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9A\\aoptiloc.exe"	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxN6\\optiasys.exe"	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe
1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe
1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe
1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe
2920	locxdob.exe
2920	locxdob.exe
4244	aoptiloc.exe
4244	aoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2920	1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe	86
PID 1476 wrote to memory of 2920	1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe	86
PID 1476 wrote to memory of 2920	1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe	86
PID 1476 wrote to memory of 4244	1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe	88
PID 1476 wrote to memory of 4244	1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe	88
PID 1476 wrote to memory of 4244	1476	04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe	88

C:\Users\Admin\AppData\Local\Temp\04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe
"C:\Users\Admin\AppData\Local\Temp\04b7426e40bb63a6a1868d23080c53abe5ab22729b894f8a0878b4c7a310236fN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\SysDrv9A\aoptiloc.exe
  C:\SysDrv9A\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxN6\optiasys.exe

Filesize
2.6MB

MD5
97e78b1ff0a75078e5f01379e4f71b9b

SHA1
24aa4910d07d9fdcad1b2da1df91e03fdd7d6e78

SHA256
f02d61aa6887a31c77ee0cb8b87f70211410323cc507be5e4f4bf7db388b333f

SHA512
19d7d7d2a1c74df51d68e9e6733d0e4e997919af640b4b3f5ccd3f9beec7a22830032c6e729c98a73ab8ca390a99979afbd4268ba7f09bd683c9c1b2c5701e56

Download Submit
C:\GalaxN6\optiasys.exe

Filesize
2.6MB

MD5
cbdc10d7a42bd15d2b270bb71e992113

SHA1
1341c49bcbfeb486a110588c9fddcc6699f8427f

SHA256
25be77012182aaf0551075c4025eab4dc71609eec09cc8b5334d92eec9617a14

SHA512
ea87ba96d4e349a4b2d85fdbca28fe72a57fc4f5aef610fe3766e1d81f8535ac276fb434bcac3d8cf1e727c662f728313831337ed086595d9c11806d053bf460

Download Submit
C:\SysDrv9A\aoptiloc.exe

Filesize
2.6MB

MD5
fdfdd2b9fbc861b9cb9919b9ab2bcf8e

SHA1
67533ca034f8f83aef82a2310db6f19425601547

SHA256
eb4b6ab5c955e2ce06050942bc659431f9a55da82337e82b9dfcbb3f23495c6b

SHA512
239b3d7b80d779f662df59ec63ac69d37c494d35524cb40ea01cb7b40f61fd8e837c3961ad60a139db7840ca9b779dcfd9f0be3f19426fa4e452371e0ffd1a25

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
05afe675125f9f9b1fd2ee7be59c4f66

SHA1
1519d8e2add162c59c83f3760cac5b0d71f3f523

SHA256
f6f02bae0f87880838e2bf4608a7d45827d6657752c25083ce2be9ce00928a28

SHA512
0e96b497a92daec63a6e64994d3204b43293952e4575ca744ead5ebe0f22d9fb328ec87cba999f9bd35109d22fcb5d3d012fcdafd7844433d311d91bbac4c9e2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
379979e5854b2cef7ca60dd2aa698dc6

SHA1
38b6034487f7b453009872400d10f7a09f402350

SHA256
f7cf5e73d8c739deebda1b9fc96da3a841e3efbb3aac8d136cf621c098e3ffd5

SHA512
dfaa8581ab06d21589b534269e39dd7bc3e581c9bd4e5a74569d04f5579103b9b58dc7dc102e303c6a8e722825dc835be9e80d6c5342a1c32a5b46687b1c59c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
709c13bb8f494dcc9184729e1b4ea861

SHA1
4c3a4be24156ff5e283803fa07b5805aef3cc7f9

SHA256
6b81b5a8b255bf4e11f0a1b3e6923da935d77e66c0ff1f06bc08772ef0a01f7e

SHA512
10b7f26bd68b34d9744662e323812603b55a31a17e027bac5f3d864684cd873d2cceb4eb332f0fe6e531c828ff35afe24702ca2349293844313729d98192bca1

Download Submit