Analysis
-
max time kernel
119s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
Resource
win10v2004-20241007-en
General
-
Target
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
-
Size
2.6MB
-
MD5
39e078a66e22cf574d8ff712bd217040
-
SHA1
857a3a5925b81392e954c9d98555d15433b190f4
-
SHA256
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628a
-
SHA512
4073d533a854238a8c8ca21de8a9250fab81be71512c692803a3098237811147ab89aa5e4faf2794c89d46fce20a9833c4c163fb7f004aa261663cc60e10e1a7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpYb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe -
Executes dropped EXE 2 IoCs
pid Process 4636 locxopti.exe 4092 devdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDO\\devdobsys.exe" 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid96\\dobaec.exe" 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe 4636 locxopti.exe 4636 locxopti.exe 4092 devdobsys.exe 4092 devdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1920 wrote to memory of 4636 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 87 PID 1920 wrote to memory of 4636 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 87 PID 1920 wrote to memory of 4636 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 87 PID 1920 wrote to memory of 4092 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 90 PID 1920 wrote to memory of 4092 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 90 PID 1920 wrote to memory of 4092 1920 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe"C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\SysDrvDO\devdobsys.exeC:\SysDrvDO\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5faa5e30d9a6425f82c4a43ad3f7128c4
SHA10b1825d1f380d1df33cc06e56ae96ba7a96b2cb3
SHA2562772dbbd7b43364cb32b4201cc955b0f1d49c73579227cbc34e5c775d4e72847
SHA512d6dc8be14930f203be718c5d917a1b70addc34da493101c296044390db25cebb8887dd385bb43413bf3fbf9f978c379c2f5d5704040d599737eaf9e7bf81cfc0
-
Filesize
202B
MD5459a99a71e2d8e9cc60a4563b5f52fe9
SHA1bb50a372d9f75e246489ba311cdd623d98f2b81c
SHA2566d5080d9e23adc45756388f15e565128853195d8bb0cb768fcf3103b36015700
SHA5123e3c50b72320b0a52f6f903ddcaa37957b27145b3002753660a9c772d9d1fe854ed5952dcb0dedf34c2f130fcbe608abfab6790968a4753210b9aa058412576d
-
Filesize
170B
MD55a6e3c1c9f7e1a74059f6e6a015ac58e
SHA1bb24d48118cf4e43c0d506c3a883c83a7c9419e1
SHA25626025d00e054ec13b590e57a487b67c42b301021e7991c2542ea3fc175e97236
SHA512c8603bdf93f88e3bef96ebd08d533638cc6acb7e32677153894573920312ecade51e92cc9e94b3965f8493d2c09ae258631ecfe2b7f30ed382f70e8e7711c12a
-
Filesize
2.6MB
MD59c1f95c30d0df407e6420750f0acf6ea
SHA1dc9ed39bf7cea44be3abc0dbb7088b4aeecc7749
SHA2569537c6a5c16ebfd543a4c3ecf7c5b494adab95726f006b336f85896c77ba68ef
SHA512b845d14a93dadd257fefecdd1ba98fb56c0bac9ec25f010956e65acab9641564aaeca57ae60221488c649c0e3b0862347043547285c56aef0fc8a4d88284a181
-
Filesize
2.6MB
MD574f50117c9488fa9586bda35f94b3e55
SHA1a51137d6e0f7689cf84394f0b8f23ecc36024406
SHA256811039afd9800f5ea38fee610ec8bcad7eb66f7dbe6a9ed138fd21944ea0abbb
SHA512b3af9a45b3812463a302d5e6775fa15c37ca8caf2c5765c4618bd2d65781a7aeff7957dff37ba93913d949bf226f741f8518dcd47f857ed23d93e5c20642547d
-
Filesize
819KB
MD534ee2b334e40e599e0c77af66aa86d3e
SHA1fe88ac75f08e6ceea4c20bbf39cb37ab06a404e2
SHA2560140b8d5126ada1ed6de6db7f40090d8cada8143c22f7edb37e219f6d1508f37
SHA512f3d35584f8561de5f026de6367f19564fa30ba8a8de347eaa1957d8fc4235859239078eecb69051ee833a936a7b5fb21738814bc6e6641581dca7a56fd32dd73