Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:48
Static task
static1
Behavioral task
behavioral1
Sample
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
Resource
win10v2004-20240508-en
General
-
Target
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
-
Size
2.6MB
-
MD5
70e4a479abe061eef8ae8a00438c0e26
-
SHA1
8e44b2b251cde8581f0bceffd66a5cc2d7e785be
-
SHA256
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f
-
SHA512
b57b61d6a477705f50b441c63924c5c76ec08279afa6df18f524f70f0b614f56b3ca1448f20bafe59717db55a6aaa5d92990231cba9713c86e7c97e72c12e33e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpSb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe -
Executes dropped EXE 2 IoCs
Processes:
locxopti.exeadobec.exepid Process 2564 locxopti.exe 2708 adobec.exe -
Loads dropped DLL 2 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exepid Process 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFH\\adobec.exe" fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ60\\dobdevsys.exe" fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exelocxopti.exeadobec.exepid Process 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe 2564 locxopti.exe 2708 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exedescription pid Process procid_target PID 1636 wrote to memory of 2564 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 28 PID 1636 wrote to memory of 2564 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 28 PID 1636 wrote to memory of 2564 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 28 PID 1636 wrote to memory of 2564 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 28 PID 1636 wrote to memory of 2708 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 29 PID 1636 wrote to memory of 2708 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 29 PID 1636 wrote to memory of 2708 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 29 PID 1636 wrote to memory of 2708 1636 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe"C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\FilesFH\adobec.exeC:\FilesFH\adobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a786ae78b0b320794c8b6c0788854ee7
SHA12b42b61be6298fdc1539359f1bfafd9a7ac38bff
SHA2568fabbdcff5729643532f7e17a56b1e2e7a940fb1b8e65ca7497f75c146b43e00
SHA5127395f4dbb416dadb92bdcf9691f7e26e00e872dc1694f81a4ccd7ca4a493a6f337446891c93ce7b97425ae643985d90c2e998da32055e4800e46d3af5533b70b
-
Filesize
2.6MB
MD5c52b6394b49b47b3a025e0fa69f7a226
SHA1cb6c9cf1aa784e2f40e207aa9613e7c044f45660
SHA256fcfa93ed0f6bdee482ff7bd2f077fac8830d40e9d20fb5c03367fccf5ca3e577
SHA512bb73af13ff364719f5f7e7c6c961084319462baad56e203f20ee104e31f554d58833f1bffdbc6dc5f5bf07f20d89b2294594a1b6b0985916b5e032ef8ba0d44d
-
Filesize
2.6MB
MD5c5b73bb87dd9c7e91f48a42191d0ec6b
SHA1e50d1148e80aaf0a9c4bbeae334caa42d49115e2
SHA2566ef68426f1e6599f61fca185a0fdc3043a8b90b0191616c15dd4fd47a674dab4
SHA51224bbb3638ee625412aa7a39d837241eefc5cf7f19e021f39da819f7b79362a9c07aa6f0e533f396a343e7748753b23100221ddea677bc9c5abb3ac7d9ab09dde
-
Filesize
170B
MD5c44daa244853508c30356194653b082a
SHA10192eed409e4656d33230ba8706975fc49ba7b75
SHA25635bbca254cb55e01a75be832772e46072d303e64e10e7403bd2eda2cbd246622
SHA512c77beb7ba86a2016a49cbd89448f72544bbed5c309a52382d79d19e954ef302ab975c0f1e9e67a8a5b3a39be42c33edac5010e293d4bd466ca02dd0f1b7ea826
-
Filesize
202B
MD5e61139b6d7046f6473c20678d8854006
SHA1866905a1f4cb765e796c2b7da435156d29c9ad7d
SHA256c098686d150c2803216769eb1b5b40f335bb219fd00de203a38d4ef47c1f1996
SHA51274ce4ade0b6b126ce90da595ba241e6b0f0b3aeb8284cf021fe2dafbbfa9fc164c7342a99eb35658601c014e40a6aaac79c30d7d7390a58b29820e9633a17ee8
-
Filesize
2.6MB
MD5e60c34b738f7dbe687dea40e058903e0
SHA170f66efb012f70a63199c2e1ae69167636e6f2e3
SHA25654a0ad41cf068f46842fdf8ebde88d9c08115cc82b3398a7326253d0f4afd2f3
SHA512fde0296b7d9a631a0bca2ab047035de2acb979d3d286e8d16bef56196d71447e9b57b82c87b8adc3e1b647bb9089ed1969d9308937cf9a3302d5d428744b25bd