Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
Resource
win10v2004-20241007-en
General
-
Target
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
-
Size
2.6MB
-
MD5
d86b96177072ea29abf7b9a1e2262ac0
-
SHA1
6f6bb2c8e29626d911b176b1fb4e85892a1a649a
-
SHA256
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144
-
SHA512
4e7b946f7a43aaa0a339158b60a018d56c90e43f2e4e38011614d9414140bbba040afa4b144f063818e44dbb7783d4c0d15b19043acc7d4dcefa3c28be8b603d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe -
Executes dropped EXE 2 IoCs
pid Process 2808 locxopti.exe 2472 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH5\\xoptiec.exe" 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7C\\dobaloc.exe" 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe 2808 locxopti.exe 2472 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2808 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 30 PID 2312 wrote to memory of 2808 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 30 PID 2312 wrote to memory of 2808 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 30 PID 2312 wrote to memory of 2808 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 30 PID 2312 wrote to memory of 2472 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 31 PID 2312 wrote to memory of 2472 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 31 PID 2312 wrote to memory of 2472 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 31 PID 2312 wrote to memory of 2472 2312 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe"C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\IntelprocH5\xoptiec.exeC:\IntelprocH5\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD51b303d635a2b1ff937a5584adc9cab18
SHA1e0da617cf72cdb17995d57457fd63c8196bf4c21
SHA25608599f14e4d42c9b4180b22a0006e93cc5bc703c8f68026bf5b3f2a3553b022c
SHA512ec4de85b3f2d50f22d6044cf2a74db69bc0d60e4324e1affc96492db11804bc32f53f1325f47c3f8f8b00e45e58ed5da1899e01f1a39af42b36d3581651ab4df
-
Filesize
45KB
MD5f71811ca286aa054a05377fbfe4308a5
SHA1b4a1804662f151e759806874c2a0613ee20e97b4
SHA256a0948ff9f98be1ea4b1c111c8804a300595e4345ad24aeeb34d29353ad02fe84
SHA512927de7696adf06406a07e6822bc64a3ce5e428d9598ee933619a16b89e0bf7f058dd2343a87928a4ee2de368447621f135e5f3cf5eb8e997f7bf02076ae7e278
-
Filesize
2.6MB
MD5a39431ecd71a739daa9e6d095a7a2efe
SHA1ca407030e24d26a92597ef3caeae6c5a6fc01151
SHA256d0f142f9fce28a5390358f6e2134273ed25ca883305eb05dd6031769371cbd98
SHA5120f4cf1bff6f993c25a72f13d6f2cca574a076fd9c29a18a306634084cc679bdfcefa64920e37171a58d33e6f500540cdedcfb87d46f2ed29ab55043afbcc90e5
-
Filesize
173B
MD5ea0e8493712d04ad964a61b1c0f62084
SHA1f75fb2c372f48ec5971f04d3ee07517d7977ed13
SHA256de2d57ea6d3d0210f349052823d080420311ece296fdaa9cae5e1d80e3d129c5
SHA512b7f78131231ed4bd7946536dbdf3512d2ad315d77b509457bdd86097ae6a3de16991b87867cbeb9b2589dc4ca45275b36bda76c60af6e075a3ea5bf3b58c1a0b
-
Filesize
205B
MD55919c829146c6fcddae0b596f9a79bd1
SHA18e2eec003f9230901e187cafef3a07143f9b8bbe
SHA256c3bd9346b0f05bf4eb3d69760fd73182206ec9f40447fbaf35280a93fdec4d81
SHA512f02190d490fb25c5641ec7f0a3836cd018cd4542f81856038fcd95da7bb7687e804cd0274ee1ba3dce3ebee23ada33eb16cfe68182b6065bd277fc548787f093
-
Filesize
2.6MB
MD573f07fc128587294da4cb9d432f99fc5
SHA193cf80666038db3d1c79e18b628b9524df47fcaa
SHA256180a967a756208eddd25a900ab76acd2273a708b7ee13521afc35be08deee0fa
SHA512426e8c15fc743212192bae1a686faf5254e31aac09513d17faf3db6a24da177ae2768ca6b7cb51dffdf92c76ecfbdc7cb3983a7d28ead9b7e40ab3a62297c838