Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 12:16
Static task
static1
Behavioral task
behavioral1
Sample
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
Resource
win10v2004-20241007-en
General
-
Target
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
-
Size
3.6MB
-
MD5
23f83689bbe30ff13799a107b7a32990
-
SHA1
7775ce7148436d010d9f4c071c73595c0e12a4da
-
SHA256
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35a
-
SHA512
6ec00f8ec123cbbe6b3ea99d2a9cd7e4a7de64d8e3ad9da9b150c2a16bb83183325bcee69fdf59bb4b489cda4b0954337557e3e52a9c80502a3d5ac04ce06815
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp6bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe -
Executes dropped EXE 2 IoCs
pid Process 3144 locdevopti.exe 4308 aoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY1\\aoptisys.exe" e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6S\\bodxloc.exe" e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe 3144 locdevopti.exe 3144 locdevopti.exe 4308 aoptisys.exe 4308 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3196 wrote to memory of 3144 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 84 PID 3196 wrote to memory of 3144 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 84 PID 3196 wrote to memory of 3144 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 84 PID 3196 wrote to memory of 4308 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 85 PID 3196 wrote to memory of 4308 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 85 PID 3196 wrote to memory of 4308 3196 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe"C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
-
C:\IntelprocY1\aoptisys.exeC:\IntelprocY1\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5346179b206e9ca4b1e0a041fe6570a6c
SHA1186cbbbc35c5d5ce8dac76c3dc30bff38998d239
SHA2563e83876fe295ab267347a9a6a8a379670305983063c3a33930ef4bf22fc2916f
SHA512b608006b986f7051bc997f8187bb5bc73dc9efa8f43516337e8444fbd218425a17d63b2020ed3c7d5a0037429a2be917d19e30468a0dc9df5b9a12b402c398b1
-
Filesize
3.6MB
MD50e5466a459735caaaea1479439b6dbfa
SHA1a144f669e0e2ae89f690a1855860ca41db3afc3c
SHA25623641d28db9bedd31d936ad1322eca4ee3bec3a674bee7d6f4bef1a1ad9a6d65
SHA5122a1f91c60bb096c16d71b53bb220dc73ab72931556d77086cf00f4482b364fb82df727dc4800c0d96dcbf10bfc283878839c26b601ba17991a1e1c1a0fa66c3b
-
Filesize
208B
MD589c888beb21abb59a0a0ac19990fdd25
SHA15a73e2acf68f90dc57191d4ff0dd2fa4beed45ae
SHA2560a01a678a41c86bad6e1dd3087232c26eb51155fdafd8dff7019acd8fa06fd30
SHA51225fc6daf55b4bd26cae78cf317c80b415b55521973aa6123511e19de2686427330673d02ae2b5927075b7f5fd020e59fbc9f2a26b50a589138b28d585e909fd6
-
Filesize
176B
MD56347c1aef4481f8de8c7ca26a0d60a93
SHA1a4e80ffdcd6543ef7de06b96efcc613c5b41e95d
SHA256abf830d9a6c71a5aebccaec9bbc1f4a46fc12a0242f1d1d834f0083152a68663
SHA5126cdd5c7c40211ed25c79674fb1a73c0aa308a6163aba94de0041f7f24c0b76f993ddb3acfec0d231816de0605f9eb5aa632bb4b591f25b5dd18bcb8e4624ec80
-
Filesize
3.6MB
MD54907d91c3cd06372edd312966055d015
SHA196a5ec2d8a5538b6ecd60dc836a119dec8420a01
SHA2560e21e042f02a51044c92a40a2209714804fdcc6dbc6a5279a327bc4130a58f67
SHA512c3d5a49fc59b6d659d2ae16bc7514440e17c47302a7c92cbcbab636e496af53fbe9906d62fa983727f23eb0781969e160905dcfa9a1b4ecb44a9625a4a4c0651