Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 23:58

General

  • Target

    8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe

  • Size

    3.0MB

  • MD5

    59aa1e504bfe3f827d1aa215281d5672

  • SHA1

    e1f7ba0ac7eaaa98906129d6d1e455af1c11ab09

  • SHA256

    8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b

  • SHA512

    079be82c10748216401c1f70a55e841738e5f8127b449444bd3df4c546477544c06c8b6d71d1c1880110ecc147952efc4cc8f57a76559df6ca2ddd70cd9ca491

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8b6LNX:sxX7QnxrloE5dpUpzbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe
    "C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2344
    • C:\FilesZ3\xoptiloc.exe
      C:\FilesZ3\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesZ3\xoptiloc.exe

    Filesize

    3.0MB

    MD5

    25b865003b54619353e1098b866ebbdc

    SHA1

    9b30603ba7974ffa1aca64922e84efe0c9557df7

    SHA256

    c6c5006eee01a2aee83675189743a6379822718ba06fed3943afcde4cba00195

    SHA512

    929e959693d0b80b15290ba82ead1673ed9ac2c557831149f65f1e7dadfd5219e5e9e411f3d932e675d565cad011013e2fabc4c08ac2d8d8b2bcbc0b687343a8

  • C:\MintSN\optidevec.exe

    Filesize

    1.2MB

    MD5

    211f25780a949ecc47fe103d46655355

    SHA1

    9e61828760283cbf311ef63c6da4b54bc8e38bf4

    SHA256

    03491075aed567421202b9da1912d5f0684570b8bfcfac389e16ecab234affe3

    SHA512

    425b07a8bcade19beb7d3eb2c68a5c38fac85217de4e8894bab479305438f7596b76f74008bde826ec59080a7a764188687505f6ff96e044ff9027820a3b495c

  • C:\MintSN\optidevec.exe

    Filesize

    3.0MB

    MD5

    c4f1574ae17f866c6d229c8b2752f281

    SHA1

    ac57045ce6675372cca1808c8816c0f2eddbc543

    SHA256

    86e026acbcd213d58ae4799defa534525785d175dad58888556664ada4560f9d

    SHA512

    7b25b0b26584b3552ed09ff0ec676a02a2354145b966e87ad7a596aa282bc3d4f5b296020dc7b5ff51f5c23703ad95c9fcc79a3082505ca29ac190889b3f6cc3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    888b6484c83cd7c402ad61e38d4590a4

    SHA1

    20188ad8d9e497196a0741ae5090a6e17ac2bc72

    SHA256

    b400e97b81f8f98fe027e7cddd377c2935639a90ca4c5ddc9bede22381cc6302

    SHA512

    8ca00f9494c03c483ce3375a673a21ddd55b85404988c50e2c59c7c442131ddf5776d38a2fe3a29b122311099f653a23ef33832ffcaf369dad83919d8e6d94c6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    da78b45c490b652ab3a0504f7784ab16

    SHA1

    0a15893ee69eec3b9f19b85f95f11ee148bc3ffa

    SHA256

    d78edf158fb0a5c4f7187525603c1b2dfc52cdc23eb2009cc288a80833db5055

    SHA512

    c74f0bc9c59b6be6d8771901c4d419f79f862319f08b0fd0829d83f5456d112dc6ad634ebb744ee4113a7ae4cd3797a04c133e764297806e20d3c13f62b4a95f

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    3.0MB

    MD5

    d647ecc0753ed21fb935e0259e070450

    SHA1

    92bfbbb6a7cc8bb8842c8081593e4e64818da3d4

    SHA256

    dfb18e521ce70b3cfed9c90cc73aa9b8b194d329f2118c66b74ae2b4863b3398

    SHA512

    6afa599f658df3f3cfded980bac337992bb4765a097d33491687d0e75fdaed11c4a5404274a463b6402d2996bd337f7eb3361a698af0720478162846b891cb37