Analysis
-
max time kernel
118s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
Resource
win10v2004-20241007-en
General
-
Target
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
-
Size
3.6MB
-
MD5
52e077fa15122034a64c117e7808ce20
-
SHA1
36097a2e0d084de643126e98ad1f2888b55b61c8
-
SHA256
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353
-
SHA512
1a499fb6d13595813d49c92e5ee09062012f7350f14e44ab2732d740877614db9a2ad2679ecd0c659736ecf45e35e2599c5c939592727e68d03240a2b4896edb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe -
Executes dropped EXE 2 IoCs
pid Process 2624 locxopti.exe 2524 xbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR5\\dobxsys.exe" 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXI\\xbodec.exe" 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe 2624 locxopti.exe 2524 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2624 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 30 PID 1664 wrote to memory of 2624 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 30 PID 1664 wrote to memory of 2624 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 30 PID 1664 wrote to memory of 2624 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 30 PID 1664 wrote to memory of 2524 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 31 PID 1664 wrote to memory of 2524 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 31 PID 1664 wrote to memory of 2524 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 31 PID 1664 wrote to memory of 2524 1664 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe"C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
-
C:\FilesXI\xbodec.exeC:\FilesXI\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD55f64861955603d6f426d7871b3014efa
SHA15b50761c4d274b41e989dd385d3e03dc6c7bb1f6
SHA2565bcd017eee66a9075353896e1454f2c8e52dc623e506a64b67605e7dd83353e1
SHA512f663429cb98e380a4adf5e354692ed130513e2892f5d842cce29fb3699f09af7fb8823f4fee595913ab2d6cc8f940a4e22c412846bee3579d3532e8881554339
-
Filesize
72KB
MD5459618bcca750b5533666c7585e055b6
SHA16202619d112878a1bdf8014a2e696dea9752e00f
SHA256957265a8f281496de3480f04bbfb3a1761a968dfa4e3db5c51a5fdbffc90bf9a
SHA5129b436fdfa54f87123149c7209f9dbe92f1c4526c46d1d5a39762e96ef0a37835eb05478e6c37721ec1a1551e738149d352f9e678739621b0179fa5783ad0e1c2
-
Filesize
3.6MB
MD58202402d3c8b3ba301422f3b264c2475
SHA12a83f3a0ccd947f9074234ecf732582c325270e1
SHA256d5e7d0696af9eda8747989952c1c1a8ef7fd87f9435fce36a6406c18d19f9092
SHA512b937709fe00c0e84081eb24c9da330e9c46e66ecc8f05d81f646d9f25c1b6efe3a8e982f93365bab03558d373f4fc20a21a7b01219039982c939b515096839cc
-
Filesize
168B
MD5297110f3a0c779f3e2e886d3542f812a
SHA1c4262291444f230e2538926e940aa45b74efc57c
SHA2567ecca22fdfca87967fb99b045d63a94a7737ba2a999e503487f63bd9a64b604e
SHA512bff58642c7d239f50c2f8db4a9747a9ca55dffc389ce2c27eef434ab29bc476482b885532158cd9b10ac9e0c7c91dcbb89aa79c8b201d43ff100a3073ccd47de
-
Filesize
200B
MD5d6ee1ad2a245fcc7bb05ad5760c16803
SHA189095f8044528e9ca221a92c9cb3eab4f40c576c
SHA25655f0fd5377b57af12007e226ad1aa40c170a7dea52b7ef0160b06db6f4f2880b
SHA51267124760f06c3b956f8bd03077df5d6b1fe202efd3a17a8cf1da53c9f89e478ae2d9ebbdbbca2c9d5591736f1ebf998948b93abbbf7651940e798b71d000f3a0
-
Filesize
3.6MB
MD51f07df99e0d7862db027647b5ab63a6e
SHA11f732785a6921f27b9299681711de721ad801235
SHA256c693ade3a462dd193914a1378d0bc636dd7ee76e30cdbf1c6a496096c5dab8e8
SHA51262eac6429609c78f175c60c73eaeab3e514bc6b4c7b9b352e25806f1f4df3a332d603374455bf9fb5febfce8cf8807083e4200061eea56d0e007491ec298b13d
-
Filesize
3.6MB
MD5f1170ab96ff0d6245a1d78434184d88a
SHA16b544f906bfd5c5eb675af2ecd04d8b6fd300f3b
SHA2560eab4708b3e9e17a0b2c66c22f8291a4c8151fd1257360d850a3fe8350b19b22
SHA51253429ac5e561b269b098d0c50116e6b3602946bb3331967efb441e75d66d9bd18c355963ce175195bf03863a12b8b80a4711c231bc7e25446d7c8ba92555d199