Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe
Resource
win10v2004-20241007-en
General
-
Target
50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe
-
Size
2.6MB
-
MD5
a090dc0f5b9a2dc6498e66d6336da710
-
SHA1
ca5f8b4ba7aba68609734727e7c9ebac0bf6a407
-
SHA256
50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7
-
SHA512
ea713af642c65d011ad5b2c9c8fd325f7027c4598914589f6033ce0659d2e8a86798eb15a7eee591e5e0d2bd01c98dad3b9ebec296aa6743741795f5415a1243
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe -
Executes dropped EXE 2 IoCs
pid Process 772 locxbod.exe 2340 aoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTX\\aoptiloc.exe" 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ10\\bodxloc.exe" 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe 772 locxbod.exe 2340 aoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3048 wrote to memory of 772 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 30 PID 3048 wrote to memory of 772 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 30 PID 3048 wrote to memory of 772 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 30 PID 3048 wrote to memory of 772 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 30 PID 3048 wrote to memory of 2340 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 31 PID 3048 wrote to memory of 2340 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 31 PID 3048 wrote to memory of 2340 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 31 PID 3048 wrote to memory of 2340 3048 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe"C:\Users\Admin\AppData\Local\Temp\50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:772
-
-
C:\AdobeTX\aoptiloc.exeC:\AdobeTX\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5a86336805b3d53c18600c251ef3cfa32
SHA169594cfc6347aa438b9319dfca41704cf4607aa6
SHA2568f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5
SHA5122289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93
-
Filesize
2.6MB
MD51b755c5693b5a398bd557ab5fe9eab57
SHA1bf42a199b2e89b29f1004f8c1902b30d0e0465cf
SHA256c331988ef233c568baffcf8036f4cd6146a751237df4745e8b45126dacf9d3bc
SHA512bfffa53c3e9ebd74a26709dc3a83f0f06c58e282f136da8ed304ac792b0b924cefe8e28cd5348887314f0fb094f187c896ead532cabd841c764c84ac42de4e49
-
Filesize
43KB
MD510d3f3e58a3ef58f5171e4ae32fa456b
SHA1b11202a2da9a50ecbc728f5b227da242dbb076b6
SHA25639bd105cae5dd3bc06221de8f19f3df1bb1087d9be94f352640741467eb2a690
SHA512f769fd795c333c99341608ec887ab58b9db5899015cc0fa119e2f82b07431f705e4054f585cbb14bad80ceff7a0d52cdbe8093f5c4d101b238c20d88213c09cb
-
Filesize
2.6MB
MD565890064a665bbb28dae4960ea463bb0
SHA13626e521e32275aa6fab8f1bdc8cffdfbe6c9ea2
SHA2561ab15c9c3b29c4abb7093cf5c5409027ca290c99fbd7e5e4757dc5bde20b64f6
SHA51277bf6bb968f213ab51c924ec31d1538c8a202342982902b5e223ab4d8a67417889de6a16c05aa795ab84e617c8426ace9308e4e5fb729aaf5688d0f475119677
-
Filesize
169B
MD52273759d6a9ba1f9ecf948188f89de26
SHA174f5e6b3244e65dab374e82588dff3bcfd9ede5c
SHA2560ce01ec4151cded19373545e0f0b795ab453b01ca03a8dfc3fa184aa5811d952
SHA51200126f310461b3bbfd9d0e14c6ad2d7a32f2b421734a89111bae5e1531869f8c9540c769180f79d1c2aeeebc23df24703cefccb6959e5be5980be446087990d7
-
Filesize
201B
MD5970cfcfc64d24f75c8464fe8ea3a7dce
SHA116a9c16fb89a8c54bd3eefb33fb89450ada18090
SHA2566c525c8995b523cebd38e92c2195c174d02cda9548347913dada106a5c5a932d
SHA512dff21ee4bd79a5ff8ff848cb0ba82b837a5f19362f88301bede49c95f9695195b6357babba5253e00316567e1b6be49da99ba1634317e900088a90843b79f2ef
-
Filesize
2.6MB
MD531113fda57de423fd9c7e1b926863c74
SHA10f22f605afdd172e56427f9d3d7cebf9e789c0d2
SHA2563f1b16ca9fa485303ad521a9d6dd04d9436bc50267559aa4279ef322ffded3a4
SHA5126906a3cf98cd5f4bdd782b773fd02dd9aba808ad7e579ce752dca115d1fe1cc9585288180258a3f36424c1daf0b29abfb0f9b8a55454d918ef5aad1f7da1042a