Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
Resource
win10v2004-20241007-en
General
-
Target
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
-
Size
2.6MB
-
MD5
44e34eb4cc19d4dd6e2cd8838b5bdb80
-
SHA1
e87d983c1eb39ef25554dec73e82ef355c9fb613
-
SHA256
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4c
-
SHA512
71cd4921c9a49e5e6e3224372223053e03169b0e6ca2b58080e421aee98abfa9703d4e26c556b88dab89bf0143b0212505c7411aae1dd8dcb0d430556b9a69d9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe -
Executes dropped EXE 2 IoCs
pid Process 3108 locxdob.exe 1772 aoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRA\\aoptiloc.exe" c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxP8\\dobdevec.exe" c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe 3108 locxdob.exe 3108 locxdob.exe 1772 aoptiloc.exe 1772 aoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2616 wrote to memory of 3108 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 88 PID 2616 wrote to memory of 3108 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 88 PID 2616 wrote to memory of 3108 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 88 PID 2616 wrote to memory of 1772 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 89 PID 2616 wrote to memory of 1772 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 89 PID 2616 wrote to memory of 1772 2616 c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe"C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
-
C:\IntelprocRA\aoptiloc.exeC:\IntelprocRA\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52ee5c3d8602fb571814f295d8c2b93ff
SHA1270b24bedca1c79062c50e524a90a748eb89d7c6
SHA256ead41c53762acfdc5bf3c53bc87f02074c0a43406ba92ed00f067410c61e12c4
SHA5126c7000e763d3cbb78f67d48c76adadb75680bedfd516079e99009fea6cfabdfbddaa98ffff10f8fdec9611b43d724190d259f038c0901bb8422c471041500d07
-
Filesize
2.6MB
MD545578479a84404c4c9207651743f4732
SHA1aa5b005b5fa67dc7661a7420b7185e94491f8124
SHA25678899659482d326209dc1ade0a831bc60b86237679f92efa3727d1e76a5c7e73
SHA512e69e1f0d2c4d612d6cca1557dedb61c406978fd05d24500e1f53b7605e9c69cd24dc1c67b4aa36e6b4f0e2a6a303b2adb95655fdf9719c2869fdc87de9cd1a5b
-
Filesize
2.1MB
MD5ea02732ce515056907b93a5cf5ffdf52
SHA1afa9370c6c9770ee479b6748dc3b830e542651ee
SHA256a54fc3e011dca9dc76e40038ec4ba73091ff440916c1307f29f7f5f17f5414a6
SHA512997fc9f5f63cb30e3fc1d10fd76cf0c7a53ee89c06c6741f059858987286844212c197af40572a7dac5bd4c1052124b38cca1f817c51b68246561acb5b66c1e7
-
Filesize
2.6MB
MD503be06041b543877be92277560087914
SHA1f28d20007f7088d0beaf6c40707609a9b8dd9d98
SHA256ab1b1c08bd22e92530fcc21fe8d8d90ecb08681786c07151e1d0d2b91fe2b2a0
SHA512fee56291e99dd939851e205a95f3dff7ce29fdf95e1892e37bf27ac0b147f56f27cb46dd083a329ffd33521d1f9dd1980bbaf9db2c366a7369d7192a9a2c43ef
-
Filesize
207B
MD54f4175d9379bfe68015862710532f4f9
SHA18baaee141f6b6b0612e515c7e1ecd506e4e5a6cc
SHA2565ceebcf3f2abb8c0f50e2278ebb72b57c7f7c4f5626be7281bea4d8878964eac
SHA512e8cd5346ec927c03f9a995b7062353177aa26dac73f40121ea21b62e01755b7315a003bf7e7f25d6bb52d5320cd7b5fcb5c12bca93d016af4712b9f7af6778c7
-
Filesize
175B
MD506c1c81701bf99088ee128c65e21b1fa
SHA117404868537a8fa76f0a0c6d6c262d2372408ace
SHA2564b8a3cf0574a3af95303e3d03ab068229e6dc274dbca5fd3840a9b47f4f6b363
SHA512494a274ce46e6225d0301a1c509d51fdcb2a610fff911ef18fb857ddbd3fd49dad33a6e8d4ac998faf42d9f4c55d66db327b58616cf40cda989548481b5a5f8b
-
Filesize
2.6MB
MD5f8e484cc6cb00202163c465b97fe8bd6
SHA18ef010f19c53218bcbadf34497f9aabde37f32c2
SHA25601b79b1693a1d63933c1ce0fcf3b233167969f4b6134d3ffb51a34aa52e30af0
SHA51227f93c1c0d89efc3cef250e261f059c7951a460a4af4d40631929429a5daf0ae4746257703edee4e2d96bfc21f0b24d6205ee4150cdebb2b78ecb8c5819e74bd