Analysis
-
max time kernel
119s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
Resource
win10v2004-20241007-en
General
-
Target
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
-
Size
2.6MB
-
MD5
5f4f1944a84e9de12002ea1bdad7e7b0
-
SHA1
894083158d61e521c5564f4c9096eef92d745361
-
SHA256
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273
-
SHA512
6bc6c334ff8d4ea78f270859d87c02adc44ca9658d888e3cb9d86f8294364ad70d3038851dddaf9c8277aa641142a2694e929c7f6db2618db66de4f97b966b2c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpBb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe -
Executes dropped EXE 2 IoCs
pid Process 1368 locadob.exe 4500 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNL\\xoptiloc.exe" 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU6\\dobxec.exe" 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe 1368 locadob.exe 1368 locadob.exe 4500 xoptiloc.exe 4500 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1368 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 90 PID 2308 wrote to memory of 1368 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 90 PID 2308 wrote to memory of 1368 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 90 PID 2308 wrote to memory of 4500 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 91 PID 2308 wrote to memory of 4500 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 91 PID 2308 wrote to memory of 4500 2308 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe"C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1368
-
-
C:\FilesNL\xoptiloc.exeC:\FilesNL\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50dba904eb032551427b8718b07e5bab2
SHA19ec080c8e9a7aedc4d14374832a238826996584d
SHA25636e6ad7392b2ceb6957c8b7fc2ad4086601b6e3481516b536b38582cf8852062
SHA512f40599249d0c131931d99f83851030073e02b5514964415bb847fb6c85d0d0be96d7e7d08f0a1bb11506368d1b43ab16093898975d25a459a704dc08df58a701
-
Filesize
199B
MD58d450c5278e69370596539fbb52f1d92
SHA1efadf7292de97b659a3a2c25cea75b8a79ab7600
SHA25603c9228c5d513f561a9147a638fd9c792739a1db1c609955add33d60a3b2ce33
SHA5121474e2bef270af34e1afab5b7f5611bc32f19a8e422b6498afa8f7cb844233a0e33ab1522500012a34a543ecdb8f2313d9292b65349e50f2e5d7391d54f32f81
-
Filesize
167B
MD5c74fb3a991fd102e060e77e577dc81e9
SHA16335d37e0a29a829857e5e8d1dab86af2a8fb84f
SHA2564c88590da3c9e1b5ce7565a36cac4d84733b4818eaeeb4d4bc304549370c00d1
SHA512b776cec75889ec198fc2d020610e4733a2e02a61050f7265a7f78ad2023f7f304175e9996db6b504612acc096832cf0cc20a2ee2f76edd039b0bdff98f4a23b8
-
Filesize
2.6MB
MD51c1d17a26cef2a59a19b29797e34d6eb
SHA1668f2f8c10993395f1708b5f0643965d99c72be5
SHA256283139594342fb2aedf485fe2d26ca4d5d8e09680c0a9accc364313ddbe256e6
SHA51207bcfd5fa3c32eb4a05ed0ffc214f1552c65ce737d339568114e729a9f74e39800e1be454425de8497708202d31b8a4ad29e051ac9a1d5eea5117b50b5deea65
-
Filesize
2.6MB
MD570f70c4590c0534607615159f37ef26c
SHA1b5693b41c3141b8f0c1c5fc2005fea75f33fbe5a
SHA2565e754484008855b9db6f71232a0cb88627044c26251aa899e9511f6c6411e88c
SHA512b2810df83f68968b6b30f532afef9c03155d01f9639af8ef4ebc7c14aa319c3d3e2f5dfa46c962caf61fd36e7073832b04556482fb9253ad5e77a47ab68d4bb0
-
Filesize
132KB
MD59301f308c3fb4e2dd4c6bfd6fc04f002
SHA18735a9dc60eba451fde077f4a0cd5e1bfa0306bf
SHA256e2694e529b793c267f51ec3b3961d13c7cb85ca8c9ffc8793a43f6555f10b878
SHA51286d189fa6638bcfcfb8fe7d6366a6654458af8aebb592aaf4309ed7c97250e1d8f00f4eea0f78d968cc562b1105e7ea3d48cd5fc21653ead9af7a19c2dd24a2d