a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
Size

2.6MB
MD5

f1f98c824a75c11e6788282a26198834
SHA1

807546d857ffb7e922a2d367bfb2224cb9d7de69
SHA256

a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c
SHA512

a2fcd8e0b7faf3b7718efa51d7f2fb40d8a0c8a67796d1df315b1b257b8d684f54ed4c48225005bc78555169b367f96eaef1f2191369e5f3ac3c154a41070011
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSS:sxX7QnxrloE5dpUpGb9

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe

Executes dropped EXE 2 IoCs

pid	Process
3224	locdevopti.exe
556	aoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotND\\aoptiec.exe"	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKV\\dobxloc.exe"	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe
3224	locdevopti.exe
3224	locdevopti.exe
556	aoptiec.exe
556	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 3224	1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	86
PID 1172 wrote to memory of 3224	1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	86
PID 1172 wrote to memory of 3224	1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	86
PID 1172 wrote to memory of 556	1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	89
PID 1172 wrote to memory of 556	1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	89
PID 1172 wrote to memory of 556	1172	a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe	89

C:\Users\Admin\AppData\Local\Temp\a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe
"C:\Users\Admin\AppData\Local\Temp\a53960252a8b45bc21ee2af964738d74d18b20f1ceb956fe19a53d346764119c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3224
- C:\UserDotND\aoptiec.exe
  C:\UserDotND\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxKV\dobxloc.exe

Filesize
218KB

MD5
ab869e908836257304cf7257b88f59c9

SHA1
52bf89eda885fe5cd9d30f21ce303d3e2e036656

SHA256
9cea0926a192e77269232df83e374dbc04a70cd200dc9ac2b22203fea6aaecb5

SHA512
e8a21fc09a88bbe696354c6292d24911f67f7774252f8e7ded4a5e3c246197e837a20911af8a7f2bbc850ae457ea36d84889853af0ebd5798aab8ecceca8e74a

Download Submit
C:\GalaxKV\dobxloc.exe

Filesize
2.6MB

MD5
cacff9b9706b1bcf0cbcd852b26f9fba

SHA1
2c8880366f962db0efba6d86b9ee1965f58b4247

SHA256
02df8c56248d9061182666c698022befd77c72259bd50c4153841a7b32965ff0

SHA512
16e94129f1abe80749210e90cda64aee001bdfb00f9f43d7bfc94e9517b079c84f69ac6d038023e4831c810ea83b2a1168b759d8f0b945c0a7c05590518a69d1

Download Submit
C:\UserDotND\aoptiec.exe

Filesize
392KB

MD5
c3389167dccd5541b9d0f40125943512

SHA1
b773feb02abaea5ab5ece45404905d65af6a0dda

SHA256
2c46b8428db7bf749365a8001e845daf1c3c20d4f78100cfa9385ba5a0a2db46

SHA512
649e82f4912cda0a301021671b8a21ff1d16ef4582e989d663bb3e2c6f32ac24b41f913e3409c0582214816354593d1f371af19e8ab1f4d1d0f1f263dfaa40f8

Download Submit
C:\UserDotND\aoptiec.exe

Filesize
2.6MB

MD5
24a1577695ee4d069e9a4a13b577fabb

SHA1
5dd588cb92bd685ab976165bd0e706e13b576a47

SHA256
5a7d658e0c991e154be2b6f561afa38367790a2ad6bea26ff70dca5c6795fab0

SHA512
ae10d126187dd9d494fb5cf5b0dbd3c993f04946a18b1aae665f2334e5e86afffefa1bc1f7af1561aad7ea8f353fddfe30792ac9c4395403e4a6dbef6e63ebcd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
f7cde46493d3d546cfc82a5cc5bf598e

SHA1
ea77c6f4fdfa4bb59cf479795324c2000cf6df46

SHA256
ba4d45109f36be8b1460eb6060186aa26838c873e785ceb2b4e432ca700d728f

SHA512
4d16ad4651ddc6ed3637c12216581c1eb9b9cf182c4a6e60f914f2a6f2d66f652f5d5768c731e9b0e6780b49479cb2131fca321ce7681ae8d854231d6e5df97d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
cdfdd5a6cfb17b3ddf92d8524d93fea2

SHA1
37f9e94627e655def503201820a104e25aaa3975

SHA256
7da0d982e39e932200941063f9df49d2835347cbb569b52e30f010af3084e320

SHA512
e5f923ccbc6ed5a6f2f9d9cb1dd2a3c4839fed368c90cb7ec9f808d157bec3ec5132834dc49b8f28319f5a2768306912c2ab8f7eeeb0008fb6401983a8c1b9a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
8de613325c851d0e6682448bbc0f1d6e

SHA1
9253739c69895670163bb46434446bb87178e2d7

SHA256
c19f152803fab750c12745546d319f1a7e95339013b005a23162962b824eb224

SHA512
c53548edd4836499d3a37485b75e1866c311315d70dbef3b014f0e383ddd4006d486086d66af1a56998a92a211a0893a0b10fdc0cc73c9419a06a10319322a22

Download Submit