Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:17
Static task
static1
Behavioral task
behavioral1
Sample
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
Resource
win10v2004-20241007-en
General
-
Target
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
-
Size
2.6MB
-
MD5
09e59590edcd3f5696701d395b57e4c0
-
SHA1
106854f79a73f5e62022a9545d7b4fb7b244012d
-
SHA256
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41a
-
SHA512
e2ec36ecfd6e3aa6be9f50526498e4505f2ea05763750074edbe3b66e9add55d0dd958c04d46b8f1c324e9e358c4c4a885dba0db023061f062661f255ea9b4b6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpXb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe -
Executes dropped EXE 2 IoCs
pid Process 2408 locaopti.exe 3380 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot28\\xoptiloc.exe" 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1X\\dobxsys.exe" 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe 2408 locaopti.exe 2408 locaopti.exe 3380 xoptiloc.exe 3380 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3140 wrote to memory of 2408 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 87 PID 3140 wrote to memory of 2408 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 87 PID 3140 wrote to memory of 2408 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 87 PID 3140 wrote to memory of 3380 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 89 PID 3140 wrote to memory of 3380 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 89 PID 3140 wrote to memory of 3380 3140 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe"C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2408
-
-
C:\UserDot28\xoptiloc.exeC:\UserDot28\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5723f1c3ad1336d278e84b04968d246bb
SHA1a3cdff3cd39907386016f9aa0ced7f803f67314d
SHA256de7fea2a9af76f58de29e62f01aac4df88c9730bd21bde061fde94c0b492fbf1
SHA512425193df402fa93f2ad4f57e2580ed3bfb66e5921951bbe68b777fe8bec3b9bcdab2a0ee59698ed51d10f262ad5a5ed61be15b84b6139e893983923ca2560289
-
Filesize
2.6MB
MD5c0f947a72fc0f3c62416a88a72c66709
SHA151d91a91af0eadbd490468171cfb69815aee8420
SHA256f832d6bc26ca1d6eab5f07d9efe546db5e9623d9195f5a8ec3eb287ff9827bcc
SHA51219d0cdfa1d51c2ccb1a3c0a3b7061f5b5eac80cf6e9ffe83a5b867d112afbaed52e30220f3af6390405a84f5448522bc881618281f46211ad03c1152654dc054
-
Filesize
2.6MB
MD5f67feab3eb40835d467699d1ddcb038b
SHA1e53f7297d8285360bd48f3552530211c877cf928
SHA2562ae376a91dfa26c06123fcc113301464ce0cc3314b1543021029eb3aaf69f96b
SHA5121f49ecef3c8fe16e59fb3c6178fb5c0fd4482792ef21c68e3381ab79b18bf9ea7a0514cadd65e3bbc3a58f257fbe3ba14d02ac27f544e0a5f6fc614b44fbe8f5
-
Filesize
204B
MD58704453e7c2e8918b18ae89b31a69d04
SHA14b36f9be162164363714467a18afa7515410675a
SHA256b1e01208367d5155cec00eda287a44ef9338bd1f49c98dddceb7408eae078079
SHA512ede5ea7dd08f34e4f630e2a9f7e0a85e383c710906a243dca390102d97e8dbcae1271e39d989f0c2642ac50bda9bb0a99eb4d11b36a0643b571db29723eac2af
-
Filesize
172B
MD566953f6c7985957c59221f67d3d2c4e9
SHA1036f61cb9985ab0185759b2fa777b6f36e857986
SHA256591ff7cf6c3ee90c8e149ba655f8b3dc7febe86b2a14de637f6f74df86bd051c
SHA5126d4736ff4377b32c609fb7855640b5d5bca13ceba30d349da570b1422576fa36bb3d2f84fff04a44cdb4bddff7590a11005047e88a9a7f82db9853cf7ebbdfd3
-
Filesize
2.6MB
MD56e89c0767aa75008b202eeefb202e756
SHA1dd12847de72cc30a1c5c071130e7c2c0bd324f18
SHA256e270a2b6618e20d60a34f6f8415de46cfb7f3d25f94e56da3031751f61450dbc
SHA512671e07470eeba4b920b0b5692976946142c271ac4ee229a877430ad57253d81987247e48f26adcb2aecfe1a9dc72f993f3a43ce6bf88456f4fb297ff3ba12ec4