Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe
Resource
win10v2004-20241007-en
General
-
Target
903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe
-
Size
2.6MB
-
MD5
69399404c4e89f3d89a19eec66a21b20
-
SHA1
125d83a8131e31a04bc45b0c9ff9847d246c6b99
-
SHA256
903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2
-
SHA512
28397b318c5205b16e80b8a901c1d70ef71f48b3dacea6b1b101d689aab7ae6d7c2cd813c052158a12307cb238ec89f55e40f9f9ef3e6988a42d4bae1123123d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe -
Executes dropped EXE 2 IoCs
pid Process 3456 locadob.exe 2228 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNL\\xoptiloc.exe" 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU6\\dobxec.exe" 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe 3456 locadob.exe 3456 locadob.exe 2228 xoptiloc.exe 2228 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1568 wrote to memory of 3456 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 88 PID 1568 wrote to memory of 3456 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 88 PID 1568 wrote to memory of 3456 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 88 PID 1568 wrote to memory of 2228 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 89 PID 1568 wrote to memory of 2228 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 89 PID 1568 wrote to memory of 2228 1568 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe"C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3456
-
-
C:\FilesNL\xoptiloc.exeC:\FilesNL\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD50c37397b47114374bdd7ad8594cc8fe1
SHA1a86079c98c981c451ec16907c975fbdb8a6bbeb4
SHA256d8b51b73d769c3e5c4ef4b9fd0aa2ab6dffa94c7052000c5a78b097f838181ad
SHA512b42528c0d6f59c3e22f9bad43466c39abdc9522537bc602e6108ea84e4cbedf76bae8b784422855dc0fbe17b91f2eb304d429ffc34bb50b9ce94ce9a45644daa
-
Filesize
2.6MB
MD55f252da07a36719ab18dea8cb16c574c
SHA1e7c73527fc9e0b9f531fe5dbe99fdbded64922cb
SHA25659606b46f7f781e6ee7aaaaa67f3db175d49c22c42d67ddacf4e161490b72f81
SHA5128ad0b54474ee59967189a308d5ee83ef3eb095cdae3af4418153df03ebe272cb421bef74f20656c63cee75d6f378e656a962312c7bd4ac56da19e2c42c18197b
-
Filesize
199B
MD58d450c5278e69370596539fbb52f1d92
SHA1efadf7292de97b659a3a2c25cea75b8a79ab7600
SHA25603c9228c5d513f561a9147a638fd9c792739a1db1c609955add33d60a3b2ce33
SHA5121474e2bef270af34e1afab5b7f5611bc32f19a8e422b6498afa8f7cb844233a0e33ab1522500012a34a543ecdb8f2313d9292b65349e50f2e5d7391d54f32f81
-
Filesize
167B
MD5c74fb3a991fd102e060e77e577dc81e9
SHA16335d37e0a29a829857e5e8d1dab86af2a8fb84f
SHA2564c88590da3c9e1b5ce7565a36cac4d84733b4818eaeeb4d4bc304549370c00d1
SHA512b776cec75889ec198fc2d020610e4733a2e02a61050f7265a7f78ad2023f7f304175e9996db6b504612acc096832cf0cc20a2ee2f76edd039b0bdff98f4a23b8
-
Filesize
2.6MB
MD5545b4e2b8168f568a09f70802199f973
SHA11e8cf0cdadf58899fa70b52a3e65d59f95a311fd
SHA25650c4544e7c871f4fcb0ae0664a15181228e1fc6bc24ea454cd5f344ad7b50071
SHA5129b0b37ad2e9911862c0c8c729cd579cfbe137b6bd7d6019656e1c9d27297de03a4e89f7af7c510c66bf6501731811ac7ed5c40433b520952b751d0247d0bf22d
-
Filesize
2.6MB
MD5bb94a8f4c6ce037c252d618bdaa4278b
SHA1f662b48d7ee0eafe1ffb25f4bb3217ecec4c8d0e
SHA256cf82e9f0c408cd75e3212d21345d497ed766c2d751540d08cc0e2269f43dd99b
SHA51205040bbeaef17161a9ea6f91dae81e2c5d3673131fbfe9beed5bae01d8d275a4e090fcea146aed241c836a459a225c242e53fa056e813717fc10587ec8260a76
-
Filesize
2.6MB
MD56a0a448d3560f24d8c673b1f9d7d658d
SHA1cbb1d3cb537df84fda783a2ef8282974e6465520
SHA256250e9f1db4ffb2a3b6d6f846fb9b1ee15421ceb0525090b1d346b43dacbc4c01
SHA512a40cb9f14f2c8785d7c3826fa0cf4b36226af759c6a469847da4180906d07d0bb27513034623964d7e79db7e5e1f9a2159f430110863a807087570bc9acbc6c7