Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:17

General

  • Target

    4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe

  • Size

    2.6MB

  • MD5

    09e59590edcd3f5696701d395b57e4c0

  • SHA1

    106854f79a73f5e62022a9545d7b4fb7b244012d

  • SHA256

    4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41a

  • SHA512

    e2ec36ecfd6e3aa6be9f50526498e4505f2ea05763750074edbe3b66e9add55d0dd958c04d46b8f1c324e9e358c4c4a885dba0db023061f062661f255ea9b4b6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpXb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
    "C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2408
    • C:\UserDot28\xoptiloc.exe
      C:\UserDot28\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3380

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB1X\dobxsys.exe

          Filesize

          2.6MB

          MD5

          723f1c3ad1336d278e84b04968d246bb

          SHA1

          a3cdff3cd39907386016f9aa0ced7f803f67314d

          SHA256

          de7fea2a9af76f58de29e62f01aac4df88c9730bd21bde061fde94c0b492fbf1

          SHA512

          425193df402fa93f2ad4f57e2580ed3bfb66e5921951bbe68b777fe8bec3b9bcdab2a0ee59698ed51d10f262ad5a5ed61be15b84b6139e893983923ca2560289

        • C:\KaVB1X\dobxsys.exe

          Filesize

          2.6MB

          MD5

          c0f947a72fc0f3c62416a88a72c66709

          SHA1

          51d91a91af0eadbd490468171cfb69815aee8420

          SHA256

          f832d6bc26ca1d6eab5f07d9efe546db5e9623d9195f5a8ec3eb287ff9827bcc

          SHA512

          19d0cdfa1d51c2ccb1a3c0a3b7061f5b5eac80cf6e9ffe83a5b867d112afbaed52e30220f3af6390405a84f5448522bc881618281f46211ad03c1152654dc054

        • C:\UserDot28\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          f67feab3eb40835d467699d1ddcb038b

          SHA1

          e53f7297d8285360bd48f3552530211c877cf928

          SHA256

          2ae376a91dfa26c06123fcc113301464ce0cc3314b1543021029eb3aaf69f96b

          SHA512

          1f49ecef3c8fe16e59fb3c6178fb5c0fd4482792ef21c68e3381ab79b18bf9ea7a0514cadd65e3bbc3a58f257fbe3ba14d02ac27f544e0a5f6fc614b44fbe8f5

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          8704453e7c2e8918b18ae89b31a69d04

          SHA1

          4b36f9be162164363714467a18afa7515410675a

          SHA256

          b1e01208367d5155cec00eda287a44ef9338bd1f49c98dddceb7408eae078079

          SHA512

          ede5ea7dd08f34e4f630e2a9f7e0a85e383c710906a243dca390102d97e8dbcae1271e39d989f0c2642ac50bda9bb0a99eb4d11b36a0643b571db29723eac2af

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          66953f6c7985957c59221f67d3d2c4e9

          SHA1

          036f61cb9985ab0185759b2fa777b6f36e857986

          SHA256

          591ff7cf6c3ee90c8e149ba655f8b3dc7febe86b2a14de637f6f74df86bd051c

          SHA512

          6d4736ff4377b32c609fb7855640b5d5bca13ceba30d349da570b1422576fa36bb3d2f84fff04a44cdb4bddff7590a11005047e88a9a7f82db9853cf7ebbdfd3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

          Filesize

          2.6MB

          MD5

          6e89c0767aa75008b202eeefb202e756

          SHA1

          dd12847de72cc30a1c5c071130e7c2c0bd324f18

          SHA256

          e270a2b6618e20d60a34f6f8415de46cfb7f3d25f94e56da3031751f61450dbc

          SHA512

          671e07470eeba4b920b0b5692976946142c271ac4ee229a877430ad57253d81987247e48f26adcb2aecfe1a9dc72f993f3a43ce6bf88456f4fb297ff3ba12ec4