Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
03-08-2024 02:36
General
-
Target
c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
-
Size
2.6MB
-
MD5
19d6260268e294f65e8a56aa563ee63c
-
SHA1
e1d80ecb9644d4b8986b9eeb63fb62e007980e76
-
SHA256
c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3
-
SHA512
e8734da0d512ff9daa21c6019aae3be52f69fd1a73323daee2eb465e302fa89b5ed2d5ee3219bdd2caaa52476aa07564281850ab5263b97e08a22442dec6cbeb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpob
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe"C:\Users\Admin\AppData\Local\Temp\c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\UserDotDX\xoptisys.exeC:\UserDotDX\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59005d34aaf3d635c6980f1d6eb1efeab
SHA1c498d73bba0ccdb61e965790bea41e4a93597b75
SHA256475f8ffffd753756a87aa81c21604d6f11be0e62df25fbbccf1ce33c809eb07a
SHA51215fc5719672bdb68e911c20297a7cb3deaa941a8be42dc512fca6823b6924ecd0119bc6c8bfa15ebb80dd0a487c7a068b95d91991ce5d04a8d642001b1440d44
-
Filesize
169B
MD5693f173b82f2e7e03215137bf78a3ea8
SHA1a0f0a94a6aa372e61d8984fe8edfd20e08744258
SHA2561d3a38a7a102742982530809f69b035faf63777a365639e6395f5946bcc846c9
SHA5123c8188c4953a863b3145e1ac82c4f263fa475864d6f55cb5bb8327e61443ef143c4c6b3471fcdde4b42f4d2e7df1a2040305e915f1db0e0936c2f563669a9a52
-
Filesize
201B
MD5a13a0b069c518ef80f355df9e614c38f
SHA1b097abf9aa061b89baa17b8755b66837695d015a
SHA256214cb4d0bcd7cff8a884f1d411ce5476c37e158b60a44704086ef8a812954696
SHA512fff07b5af1434bea361b3fa4dcbe03a346986692a8c3918863e2a3e88bb6ce0a2bd4e1af282d75f1a61607d25122d777b1c731a7c9b72e320e3584383d34afc4
-
Filesize
2.6MB
MD54cec09547de76275d87bed58a67c11cf
SHA1318539fcee82e3a185fc35cbba44e3a17b8840ad
SHA2565e599d01f26db8a1d45e613fcbd0e69a33dd5271abc5d7899dd28bc4eba59ab7
SHA5128c45f80730c73a4bdaf5f24154a907d32ccf68ff0fcdae319fb28cdaab7f6fbbfc7797e8dbe2f832693b28afd71626eaa321522fdc0cf050eb5143c65c769015
-
Filesize
2.6MB
MD55cdbddd78acdd8dd8e71e9dbf4154a8c
SHA1a127996888c4eda472607e260da65e6cfddc40d8
SHA25646b3f14542d9730c16ae35d6cbd90c51d137dca6611702cf83890ee2015f6a1e
SHA5128581d20732338468c1209eae702f3b1232045537b81d616533934607eb9b9dfdc5b12d726403e95337889bfc4e835d1ab7b48d2f7a06b7d1beef5445a6518e3b