Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe
Resource
win10v2004-20241007-en
General
-
Target
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe
-
Size
2.6MB
-
MD5
9d752bdae09a495d85880ae91a3a6aa0
-
SHA1
ec619537bebd9e9bd52918f4c95cbfb3fe98b634
-
SHA256
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281
-
SHA512
5d6a717459ad495c5416919201e8c4df624c931eb9e05dccaed776d956087768f757c542be407d925a52db1614efb9360c2b8177109f409934d8106cec5438c7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpsb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe -
Executes dropped EXE 2 IoCs
pid Process 2892 locxdob.exe 2900 devoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDA\\devoptiloc.exe" 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOV\\optidevloc.exe" 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe 2892 locxdob.exe 2900 devoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2892 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 29 PID 2936 wrote to memory of 2892 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 29 PID 2936 wrote to memory of 2892 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 29 PID 2936 wrote to memory of 2892 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 29 PID 2936 wrote to memory of 2900 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 30 PID 2936 wrote to memory of 2900 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 30 PID 2936 wrote to memory of 2900 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 30 PID 2936 wrote to memory of 2900 2936 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe"C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\IntelprocDA\devoptiloc.exeC:\IntelprocDA\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56ba76a2523d8758801d460e83b045f60
SHA1e9d4803d9e80ebdac44f694abad3ff1660e47a2c
SHA2561202d03192d7f4c2f00b629c16d27d1671f667857a9e6498b6ca1504ca61d958
SHA5123bf2b9fc054382fd74e4dce8af9206ffe360dbe9a3935ffc925a3c54ca2cf16cd1915d5b3e79a6d2a425cfe32ad7ccae439002729f5815676a273262f277a650
-
Filesize
177B
MD5246990f3df5ee902e609070782234d87
SHA1baa7294ec0b081c8a4afbd3b3b5d3ae883b6378d
SHA256ef07da7d2ec485faf199040633d4cc2410c586d5c01d49e8d0ee70b6c0eea449
SHA512388f423f0be98c33e94798f3b5fc63912a77a099b78baa1096d5b4dc98fb7408f97d09f0e0ba16b04dcb734039057158b5c7a99a6a1f7df567bcf71d6534998c
-
Filesize
209B
MD517e1756e81b9ccbd5c8310a1eb95a4c7
SHA1a0daa095a6c26c89e6463218152c376cb5f13997
SHA256ad90ab695789e54adbda35b86076ffa560ca798d5dc90a4dbe4315c0fb30a4c0
SHA512c8bca9425ca12f4ad860601dae79645469997215746b9ddc1b246eb23de3430bb88ab95d5b823f28acb23c697a4d951fbc9ba2cbf6dfd7f644e9a3af159ba776
-
Filesize
2.6MB
MD51cdae0f9db8f43a46dcba7f8bff780f3
SHA1005ddf225bcac2864ed87870882f7c7f5b27889d
SHA256242fd72edcbc67ae38f8b551bf451592a56817c3a54e75144d85e1aa5bdcfe84
SHA512203a5010fe1ace346c8218aea276c99070215af070ec1d6e070b9bdb9bc796e247c1d3f1d850a914536d25be525f81c61a98839b57f287dd7a88389453c59d95
-
Filesize
2.6MB
MD5c673def79898eb6634cc7189733ea732
SHA1ad71b1b4e10769b4107e5e091a7e79e026d877a5
SHA256fac1e415c6eb34d38bd015c6bc87ace7927ba602b610906806de5fbd80a66979
SHA512fce34a10a06345c9a78e5471dbddb9557c1f81c08a67320a80743f5765871a820b7554e19fb0754c1d949d67320fae9176269bcf552f097680757b7a66b52109
-
Filesize
2.6MB
MD506c284af3eee9c354c91a11ceaa9c2c5
SHA19b9caa0e4cd5684f6f14f7df17d6a637986368ec
SHA256afd445c6356dd62253fc239bbd931c8d76e82e6017820d1c3fd9a2b5397e2c59
SHA5126edd7cfbc67ca443fcc5a929511a0c732d25eb8909d88e3502443fc70c1a274c0c1184dbab3b61219e45b1fde5bb278ea1644ccceb4243d8aa2b1c76f65014ac