Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:42
Static task
static1
Behavioral task
behavioral1
Sample
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
Resource
win10v2004-20241007-en
General
-
Target
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
-
Size
2.6MB
-
MD5
5e766b1c0a77dc453ff6f67737e8bec0
-
SHA1
4de0702d4d12030108e83a9bc31696fd9508314b
-
SHA256
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669e
-
SHA512
c116bef1e3bb97d73dcaefdb79fd8dbaf800aa7296a11f704aff28760bd278372ea578e47b88071e30b1530abb06d0f09851e72c0416a474a0faed1c68a2e338
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpvb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe -
Executes dropped EXE 2 IoCs
pid Process 3588 locxdob.exe 660 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLP\\aoptiec.exe" 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFC\\optialoc.exe" 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe 3588 locxdob.exe 3588 locxdob.exe 660 aoptiec.exe 660 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3700 wrote to memory of 3588 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 88 PID 3700 wrote to memory of 3588 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 88 PID 3700 wrote to memory of 3588 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 88 PID 3700 wrote to memory of 660 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 89 PID 3700 wrote to memory of 660 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 89 PID 3700 wrote to memory of 660 3700 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe"C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3588
-
-
C:\FilesLP\aoptiec.exeC:\FilesLP\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5889d9cc2e0795de5a973596d8debe55b
SHA10505657360388ab374bb5391692219e6af122135
SHA256aa7111683340d91ee135dcd92bccbe7961975e76da6763de2eacdac09520af37
SHA5121f609f393e2d4403add193a47c119eb9dbd835bb66706ce6100f9bfecd50e74217cb2175e3340487d62c64b5791054540fd65894a93f3ed47154ec7ac612f7dd
-
Filesize
119KB
MD5d008e09b09f2375c991323ff142c7801
SHA10b4ac89a019bd9e83f5309c417cb18cfe5c7a39a
SHA256e126794bd35ebcb33c483c8de7d7b0cc113c7c42d147b29f9e4725ff9b7e6849
SHA5126a892be4295d6a877693e19a5a4dfb3c286ce9cba13ba6bab21cd85abb9b33934a41264566a3ef481c4a9c2e80c139fd0994afa6780509aab6fe555be66a455d
-
Filesize
14KB
MD59262cab29eba6c8ec58cf55dd510774f
SHA19c109088d1dc40745dede1654950cf3c14a07d0e
SHA256e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945
SHA5122241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004
-
Filesize
201B
MD5b82fbc0bb660c0ed3400a39120e5ab36
SHA18505638b8fd345d76a1feca0e5e840a7436c0e74
SHA25654db3406ca61f225f05ba9404f032e7c3b3522cfde4700e222e419e29fdcea35
SHA5123663662f1a61f67648b5587f5bc672883bc7df0a3909b17b8323db9afd470e3d99dcd0d65dc5d75e04b6c8fd1d83b6e756e93316728b623cf32f918d442cf1e6
-
Filesize
169B
MD5aa3f16674f48107bfb82601a00466419
SHA174928858aa9f2b4d3774de5de2ae1fd78c2d315a
SHA256dab8a10a8d0e6dc07a4b5ddab897f0225825bb08da1b01b2a43dd3e14730b293
SHA512f876cb95bb53038add7a174b9f455d1aa60b88138bd74d72947c983f01b7b79603d4043826b93f800779df4319ffff6cabbba755c1fe92a17195df4622ded479
-
Filesize
2.6MB
MD554ba8af696b4db17e7af57520e727ba1
SHA1e01c304fd9b10163e4bce796a726ba77d9eff5e9
SHA2563ce830128c69c546ab58edacfb2eed984e3fd23ae1066e0637dfe03d5af2e582
SHA512ea0dfbf4c6c229f10e901140d24b96db642eff8ed9aede2ba25fc721f689273cf2201ca5430d5168212e2e6563bbe549d4e13fff716f57a9177021311f2a2eb6