Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
Resource
win10v2004-20241007-en
General
-
Target
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
-
Size
2.6MB
-
MD5
a51a48199653b76b47bf55ae6abdb470
-
SHA1
53ca5ea420e3e5dd1ac9c0e2aeb4782030d9c753
-
SHA256
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1
-
SHA512
002d6bd0632487ccc37e23903994b2ed8f81dda382a3e259ddca7022347814be4f73f09d6882da3f4fd38aecc4a90a14e4eefa6ec55ad294beeb48d483cdc30c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpXb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe -
Executes dropped EXE 2 IoCs
pid Process 2844 locxbod.exe 968 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQQ\\xoptiloc.exe" 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRO\\dobdevsys.exe" 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe 2844 locxbod.exe 2844 locxbod.exe 968 xoptiloc.exe 968 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 456 wrote to memory of 2844 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 89 PID 456 wrote to memory of 2844 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 89 PID 456 wrote to memory of 2844 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 89 PID 456 wrote to memory of 968 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 90 PID 456 wrote to memory of 968 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 90 PID 456 wrote to memory of 968 456 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe"C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
C:\FilesQQ\xoptiloc.exeC:\FilesQQ\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
490KB
MD5bded4d20064fd3c57f89fd7ec4335add
SHA19e21615c9479e77a0b0e4024e0d6a1c292d71b4f
SHA2566d4b1e047a26cd5d2c9cee308e9d3f011591c5dd5e99b84e58cf080cd1674d4a
SHA51298904b067f93ce5b2eb2a273057891beba781a92fffed74dc59f02659d432292293e4a162d32885233c00b2a1f5438bbc72b1b09433ef701c2c00fe3e84429b9
-
Filesize
2.6MB
MD59a3cf4fe5efbfb3f46ae8d6277446931
SHA15c689c51fe75b75e34ad904f10eb38d3c95cf6e0
SHA25653e90bc860e00bd1ad772bd6b90e8adad9477fec7feb24a4aa7c9b1fd081c2de
SHA51238e7770fb9442a4a01ea3012cfc6d6b62d3f7f405d3020fa74a073d57191442224c748044d5f5558865b0d4a348813e758c072a2d0820196235bffcb18fbcb40
-
Filesize
158KB
MD55840f3dc89d5828882b91916512341e2
SHA1d7d50bb13b6fbeebe612f359389de8abf839b24f
SHA256bd34e54bbd8b7b694a414eae89136327ec6e23ff77739bc26cb1e659dd73a2ec
SHA51282d07f2d65b4c9d1fa005928b7325e86c8e12128547f22986d633ad1e6425db6fe2da54f020bc350605e80416495c71b036f3dde097eebba1b39192484a232e2
-
Filesize
1.1MB
MD570c3af8b120f6a8c9bb330206f0b6a54
SHA1bd916d83bb4615d1e4928b31a39da4983189623d
SHA256770f59ec484f622517f9a9805901427b2a294a5144da8dabd64ba8b5f165164a
SHA5122022ccf34402dea031e2a045c262e6c922fd54b6d359561b7fcefae7bbe117d98cb7f624897edc69ae51ca39554b5727e45098476371c02b5b55b73bf4d2063f
-
Filesize
204B
MD52e99d81a48596376e4fcd3dc619dab70
SHA1afb07ec62d07c0c40249ed23c86e0a0089df54c2
SHA2569633c5eb7e1dd6388e6ca3248b9073a9166d17d0ac915e97301ef7e4d7966ea0
SHA5121a9763644ae4d5a8c98fdf0b056d207b24870259ebc8df8537e72535978318baebab19c2b77a0b16cd58c7d560f0e12ab8f7cc5808dc5d4131d9640a8c0a0343
-
Filesize
172B
MD5432b435cb471fa44b5bf3a99869a8a92
SHA1989f4d33c309cc9625c91c480f2225d14cdf8c15
SHA25649e5feeb69d82e123dda49ea56e2c1dba9d2b574af4ee7662677817f8c562e91
SHA512c52ea91f248c9c19b36975f32eda46af6a22fe29e1e9d049b8c3bf9fa131db8069ea58f8cfdeb0ec57d495fd7fde77d2339bca024a00394aeaf81a46387818f3
-
Filesize
2.6MB
MD5530072822bef8e13a7345b3420fc8894
SHA1800ca8b7b1483c7bad0a29bb43f26c2583fb9a74
SHA2560e61dd888d2f214dd6184a3b264dbb932d65393127ce723f5be423e30cc9d49d
SHA512aff57e5f0fb82d32949f92efe70184552bdb7cca90d2c22630846d8675ed46486e390a077d1a29fef46a5c17517640ad05493dc5b21a40766a50dfc0b1285a34