Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 14:55

General

  • Target

    903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe

  • Size

    2.6MB

  • MD5

    69399404c4e89f3d89a19eec66a21b20

  • SHA1

    125d83a8131e31a04bc45b0c9ff9847d246c6b99

  • SHA256

    903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2

  • SHA512

    28397b318c5205b16e80b8a901c1d70ef71f48b3dacea6b1b101d689aab7ae6d7c2cd813c052158a12307cb238ec89f55e40f9f9ef3e6988a42d4bae1123123d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe
    "C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3456
    • C:\FilesNL\xoptiloc.exe
      C:\FilesNL\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2228

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesNL\xoptiloc.exe

          Filesize

          1.4MB

          MD5

          0c37397b47114374bdd7ad8594cc8fe1

          SHA1

          a86079c98c981c451ec16907c975fbdb8a6bbeb4

          SHA256

          d8b51b73d769c3e5c4ef4b9fd0aa2ab6dffa94c7052000c5a78b097f838181ad

          SHA512

          b42528c0d6f59c3e22f9bad43466c39abdc9522537bc602e6108ea84e4cbedf76bae8b784422855dc0fbe17b91f2eb304d429ffc34bb50b9ce94ce9a45644daa

        • C:\FilesNL\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          5f252da07a36719ab18dea8cb16c574c

          SHA1

          e7c73527fc9e0b9f531fe5dbe99fdbded64922cb

          SHA256

          59606b46f7f781e6ee7aaaaa67f3db175d49c22c42d67ddacf4e161490b72f81

          SHA512

          8ad0b54474ee59967189a308d5ee83ef3eb095cdae3af4418153df03ebe272cb421bef74f20656c63cee75d6f378e656a962312c7bd4ac56da19e2c42c18197b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          199B

          MD5

          8d450c5278e69370596539fbb52f1d92

          SHA1

          efadf7292de97b659a3a2c25cea75b8a79ab7600

          SHA256

          03c9228c5d513f561a9147a638fd9c792739a1db1c609955add33d60a3b2ce33

          SHA512

          1474e2bef270af34e1afab5b7f5611bc32f19a8e422b6498afa8f7cb844233a0e33ab1522500012a34a543ecdb8f2313d9292b65349e50f2e5d7391d54f32f81

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          167B

          MD5

          c74fb3a991fd102e060e77e577dc81e9

          SHA1

          6335d37e0a29a829857e5e8d1dab86af2a8fb84f

          SHA256

          4c88590da3c9e1b5ce7565a36cac4d84733b4818eaeeb4d4bc304549370c00d1

          SHA512

          b776cec75889ec198fc2d020610e4733a2e02a61050f7265a7f78ad2023f7f304175e9996db6b504612acc096832cf0cc20a2ee2f76edd039b0bdff98f4a23b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          545b4e2b8168f568a09f70802199f973

          SHA1

          1e8cf0cdadf58899fa70b52a3e65d59f95a311fd

          SHA256

          50c4544e7c871f4fcb0ae0664a15181228e1fc6bc24ea454cd5f344ad7b50071

          SHA512

          9b0b37ad2e9911862c0c8c729cd579cfbe137b6bd7d6019656e1c9d27297de03a4e89f7af7c510c66bf6501731811ac7ed5c40433b520952b751d0247d0bf22d

        • C:\VidU6\dobxec.exe

          Filesize

          2.6MB

          MD5

          bb94a8f4c6ce037c252d618bdaa4278b

          SHA1

          f662b48d7ee0eafe1ffb25f4bb3217ecec4c8d0e

          SHA256

          cf82e9f0c408cd75e3212d21345d497ed766c2d751540d08cc0e2269f43dd99b

          SHA512

          05040bbeaef17161a9ea6f91dae81e2c5d3673131fbfe9beed5bae01d8d275a4e090fcea146aed241c836a459a225c242e53fa056e813717fc10587ec8260a76

        • C:\VidU6\dobxec.exe

          Filesize

          2.6MB

          MD5

          6a0a448d3560f24d8c673b1f9d7d658d

          SHA1

          cbb1d3cb537df84fda783a2ef8282974e6465520

          SHA256

          250e9f1db4ffb2a3b6d6f846fb9b1ee15421ceb0525090b1d346b43dacbc4c01

          SHA512

          a40cb9f14f2c8785d7c3826fa0cf4b36226af759c6a469847da4180906d07d0bb27513034623964d7e79db7e5e1f9a2159f430110863a807087570bc9acbc6c7