Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:31

General

  • Target

    8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe

  • Size

    2.6MB

  • MD5

    a51a48199653b76b47bf55ae6abdb470

  • SHA1

    53ca5ea420e3e5dd1ac9c0e2aeb4782030d9c753

  • SHA256

    8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1

  • SHA512

    002d6bd0632487ccc37e23903994b2ed8f81dda382a3e259ddca7022347814be4f73f09d6882da3f4fd38aecc4a90a14e4eefa6ec55ad294beeb48d483cdc30c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpXb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
    "C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2844
    • C:\FilesQQ\xoptiloc.exe
      C:\FilesQQ\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:968

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesQQ\xoptiloc.exe

          Filesize

          490KB

          MD5

          bded4d20064fd3c57f89fd7ec4335add

          SHA1

          9e21615c9479e77a0b0e4024e0d6a1c292d71b4f

          SHA256

          6d4b1e047a26cd5d2c9cee308e9d3f011591c5dd5e99b84e58cf080cd1674d4a

          SHA512

          98904b067f93ce5b2eb2a273057891beba781a92fffed74dc59f02659d432292293e4a162d32885233c00b2a1f5438bbc72b1b09433ef701c2c00fe3e84429b9

        • C:\FilesQQ\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          9a3cf4fe5efbfb3f46ae8d6277446931

          SHA1

          5c689c51fe75b75e34ad904f10eb38d3c95cf6e0

          SHA256

          53e90bc860e00bd1ad772bd6b90e8adad9477fec7feb24a4aa7c9b1fd081c2de

          SHA512

          38e7770fb9442a4a01ea3012cfc6d6b62d3f7f405d3020fa74a073d57191442224c748044d5f5558865b0d4a348813e758c072a2d0820196235bffcb18fbcb40

        • C:\GalaxRO\dobdevsys.exe

          Filesize

          158KB

          MD5

          5840f3dc89d5828882b91916512341e2

          SHA1

          d7d50bb13b6fbeebe612f359389de8abf839b24f

          SHA256

          bd34e54bbd8b7b694a414eae89136327ec6e23ff77739bc26cb1e659dd73a2ec

          SHA512

          82d07f2d65b4c9d1fa005928b7325e86c8e12128547f22986d633ad1e6425db6fe2da54f020bc350605e80416495c71b036f3dde097eebba1b39192484a232e2

        • C:\GalaxRO\dobdevsys.exe

          Filesize

          1.1MB

          MD5

          70c3af8b120f6a8c9bb330206f0b6a54

          SHA1

          bd916d83bb4615d1e4928b31a39da4983189623d

          SHA256

          770f59ec484f622517f9a9805901427b2a294a5144da8dabd64ba8b5f165164a

          SHA512

          2022ccf34402dea031e2a045c262e6c922fd54b6d359561b7fcefae7bbe117d98cb7f624897edc69ae51ca39554b5727e45098476371c02b5b55b73bf4d2063f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          2e99d81a48596376e4fcd3dc619dab70

          SHA1

          afb07ec62d07c0c40249ed23c86e0a0089df54c2

          SHA256

          9633c5eb7e1dd6388e6ca3248b9073a9166d17d0ac915e97301ef7e4d7966ea0

          SHA512

          1a9763644ae4d5a8c98fdf0b056d207b24870259ebc8df8537e72535978318baebab19c2b77a0b16cd58c7d560f0e12ab8f7cc5808dc5d4131d9640a8c0a0343

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          432b435cb471fa44b5bf3a99869a8a92

          SHA1

          989f4d33c309cc9625c91c480f2225d14cdf8c15

          SHA256

          49e5feeb69d82e123dda49ea56e2c1dba9d2b574af4ee7662677817f8c562e91

          SHA512

          c52ea91f248c9c19b36975f32eda46af6a22fe29e1e9d049b8c3bf9fa131db8069ea58f8cfdeb0ec57d495fd7fde77d2339bca024a00394aeaf81a46387818f3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

          Filesize

          2.6MB

          MD5

          530072822bef8e13a7345b3420fc8894

          SHA1

          800ca8b7b1483c7bad0a29bb43f26c2583fb9a74

          SHA256

          0e61dd888d2f214dd6184a3b264dbb932d65393127ce723f5be423e30cc9d49d

          SHA512

          aff57e5f0fb82d32949f92efe70184552bdb7cca90d2c22630846d8675ed46486e390a077d1a29fef46a5c17517640ad05493dc5b21a40766a50dfc0b1285a34