Analysis

  • max time kernel
    119s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 14:08

General

  • Target

    298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe

  • Size

    2.6MB

  • MD5

    5f4f1944a84e9de12002ea1bdad7e7b0

  • SHA1

    894083158d61e521c5564f4c9096eef92d745361

  • SHA256

    298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273

  • SHA512

    6bc6c334ff8d4ea78f270859d87c02adc44ca9658d888e3cb9d86f8294364ad70d3038851dddaf9c8277aa641142a2694e929c7f6db2618db66de4f97b966b2c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpBb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
    "C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1368
    • C:\FilesNL\xoptiloc.exe
      C:\FilesNL\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4500

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesNL\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          0dba904eb032551427b8718b07e5bab2

          SHA1

          9ec080c8e9a7aedc4d14374832a238826996584d

          SHA256

          36e6ad7392b2ceb6957c8b7fc2ad4086601b6e3481516b536b38582cf8852062

          SHA512

          f40599249d0c131931d99f83851030073e02b5514964415bb847fb6c85d0d0be96d7e7d08f0a1bb11506368d1b43ab16093898975d25a459a704dc08df58a701

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          199B

          MD5

          8d450c5278e69370596539fbb52f1d92

          SHA1

          efadf7292de97b659a3a2c25cea75b8a79ab7600

          SHA256

          03c9228c5d513f561a9147a638fd9c792739a1db1c609955add33d60a3b2ce33

          SHA512

          1474e2bef270af34e1afab5b7f5611bc32f19a8e422b6498afa8f7cb844233a0e33ab1522500012a34a543ecdb8f2313d9292b65349e50f2e5d7391d54f32f81

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          167B

          MD5

          c74fb3a991fd102e060e77e577dc81e9

          SHA1

          6335d37e0a29a829857e5e8d1dab86af2a8fb84f

          SHA256

          4c88590da3c9e1b5ce7565a36cac4d84733b4818eaeeb4d4bc304549370c00d1

          SHA512

          b776cec75889ec198fc2d020610e4733a2e02a61050f7265a7f78ad2023f7f304175e9996db6b504612acc096832cf0cc20a2ee2f76edd039b0bdff98f4a23b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          1c1d17a26cef2a59a19b29797e34d6eb

          SHA1

          668f2f8c10993395f1708b5f0643965d99c72be5

          SHA256

          283139594342fb2aedf485fe2d26ca4d5d8e09680c0a9accc364313ddbe256e6

          SHA512

          07bcfd5fa3c32eb4a05ed0ffc214f1552c65ce737d339568114e729a9f74e39800e1be454425de8497708202d31b8a4ad29e051ac9a1d5eea5117b50b5deea65

        • C:\VidU6\dobxec.exe

          Filesize

          2.6MB

          MD5

          70f70c4590c0534607615159f37ef26c

          SHA1

          b5693b41c3141b8f0c1c5fc2005fea75f33fbe5a

          SHA256

          5e754484008855b9db6f71232a0cb88627044c26251aa899e9511f6c6411e88c

          SHA512

          b2810df83f68968b6b30f532afef9c03155d01f9639af8ef4ebc7c14aa319c3d3e2f5dfa46c962caf61fd36e7073832b04556482fb9253ad5e77a47ab68d4bb0

        • C:\VidU6\dobxec.exe

          Filesize

          132KB

          MD5

          9301f308c3fb4e2dd4c6bfd6fc04f002

          SHA1

          8735a9dc60eba451fde077f4a0cd5e1bfa0306bf

          SHA256

          e2694e529b793c267f51ec3b3961d13c7cb85ca8c9ffc8793a43f6555f10b878

          SHA512

          86d189fa6638bcfcfb8fe7d6366a6654458af8aebb592aaf4309ed7c97250e1d8f00f4eea0f78d968cc562b1105e7ea3d48cd5fc21653ead9af7a19c2dd24a2d