Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
Resource
win10v2004-20241007-en
General
-
Target
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
-
Size
2.6MB
-
MD5
eb0b3ea8f23af1bafa96769bd9a21a60
-
SHA1
9e671d8117b4f5c5ffad9536b4ca601dff1f3b70
-
SHA256
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819
-
SHA512
99eedcf0a8ccc292c62856afc68e6969d5cfb6eccba2670a46fc4c818db51dec75d08d9a7998655d266ed72b4cac49b7a5697270ba6c003a49b8beb3ada94b59
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpAbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe -
Executes dropped EXE 2 IoCs
pid Process 1008 locxopti.exe 4796 abodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFG\\abodloc.exe" b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDV\\boddevec.exe" b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe 1008 locxopti.exe 1008 locxopti.exe 4796 abodloc.exe 4796 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4052 wrote to memory of 1008 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 89 PID 4052 wrote to memory of 1008 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 89 PID 4052 wrote to memory of 1008 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 89 PID 4052 wrote to memory of 4796 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 92 PID 4052 wrote to memory of 4796 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 92 PID 4052 wrote to memory of 4796 4052 b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe"C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
C:\FilesFG\abodloc.exeC:\FilesFG\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD586e66331e4d6799ef044201296b62a59
SHA176dfd87ead34479f20bcec5ba5d5c49d2acc289d
SHA256f0f208d73f7a52e28b39befe6cfe439c07b33de8046c8fb0c8bf7ac6a84c9434
SHA51238cc99f7c65938553e056a5ed948d95d93587dbc117e93febac0403488d5c0125e27ca0eea2b0531e7bfc3f310e9743e3e2e8e8f9fffef8badae8f5a3128e74b
-
Filesize
2.6MB
MD527d143c6ee09938461566edc9aa7d644
SHA1f339e6b46ceda13e0a3fcba1969b2bfebd98b436
SHA256303cbd7071b7030391b4b17a3f36bb2444d130f63f77c66ab7e0237715cebf00
SHA51284a3b772a0e15caedf49087fa14291b1f486b5f1f8315fae56d0a44d117ec644f1fed8f8a48211f5e918a974d7547aef695b1726ba3e3daa6f2030a7b152f461
-
Filesize
488KB
MD58d3e64c612223e70ac34a874351156b4
SHA1776ecc61f0105cebc5d790e659279a4486cae56a
SHA25690e07e4fc6fa92c7fa9f019cfa2c25d2ec0c8c399fc13767a5de2b8c6b55d1ce
SHA5123bff4e7c0eda209fa7b45de50ea372601de4546d1d98b29022a4a48c2b3425cac1a003dad5440ad24a172630dfb82d80885be5d2c9f8a4c3a1f201153dbf6692
-
Filesize
2.6MB
MD5853ac5a991b0a0e346f931b07e1075df
SHA1489622fd3fab99ba6d54db8e1c6dbcac019317c4
SHA25638bd181a1d2fe274dd0a32a89244786fa5f68a0380fe285244ee93cffdf1d0f9
SHA512e15cd6f3f5c12f3cbb97494bddf1ecb2bd63ebe0afbd71808a225b4c514bd2ed1ef61280a68a0131ac0376fb9dcef3bb968718e60a8bf68105bf564434758333
-
Filesize
203B
MD5fbe9710dc5d4395e9aea618dc8376dfe
SHA1ab4d58823bed9b772b8b904f6e8a8444714f2c84
SHA25619f9e37729294333629129a81a2041d96cbfae545f24a79b676bf40225d9ca4f
SHA5123ddbaf2a7a4bbfa5e23839c0145276f48f03476b4deece89c6df05eb5c8b20b3028620380bd5727f7f774dd0deb047cdff5c0432e870158f8dd5fb92cfc63c2d
-
Filesize
171B
MD5a7e920bf053284688a40c5372d88ebf8
SHA11cf959b0fcc219c0d8353649331831ec4c9dae72
SHA25604176b280c237dea6e71e474216c9a2e348ff2179013196f8d6de93a339f5c3b
SHA51227c22f47ae5a99efb1f615c60e82e90654a258ba5736901c0d58fbb7ba3fab518f67dfecb2203371c52b96016d61bdc13b5eba1281f5f17fe447c814ad7d1f58
-
Filesize
2.6MB
MD54ba566656ea4d88d52d6f6ec1a0a5601
SHA1c25dabb36e6e6286310e7dfc36b8bebe1be5244d
SHA256394c2fe2d9f3b07cbc09aaf7c310ad00533d4aaa520a1d6b2c975eb5ec7944e5
SHA512a21a73afef5d1bdd4298ac363a6b0078fddb6a5fd693e4c56e7202bf3deb34b6ae35548df3f52208c4552d01fd101f8ba5441a845aa8d20e1d873b56d0ea2a94