Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
Resource
win10v2004-20241007-en
General
-
Target
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
-
Size
2.6MB
-
MD5
256d5026cc9fcdb7faec3059941eb7d0
-
SHA1
79970f805838ba37ed283fd3c7245f5020dd76ba
-
SHA256
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ff
-
SHA512
3ed790fc1f6dcbcb2daa2da6800f56fa77284a8a31429d7487b8c3a0ba8c4e8844b549b9dfe67d760619c9b65920c8b55f00679a4762429e4a5d2d0ff10f7e81
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe -
Executes dropped EXE 2 IoCs
pid Process 1996 locxopti.exe 3344 devoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT0\\bodxsys.exe" 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ6\\devoptiec.exe" 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe 1996 locxopti.exe 1996 locxopti.exe 3344 devoptiec.exe 3344 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2272 wrote to memory of 1996 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 86 PID 2272 wrote to memory of 1996 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 86 PID 2272 wrote to memory of 1996 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 86 PID 2272 wrote to memory of 3344 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 89 PID 2272 wrote to memory of 3344 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 89 PID 2272 wrote to memory of 3344 2272 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
C:\UserDotJ6\devoptiec.exeC:\UserDotJ6\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186KB
MD5e1497a96257006caa28d9c50361ca0e9
SHA1c6a9707192a47a7b8dc5e3daaba59fde6d853689
SHA256e864959d0aac81ac1a02f0a0749d0cfd71b8e006a6789819f72c649aac78ed48
SHA512893c8a4e110b9cb3efc35368f90b57e7ee2b9dd7f132d787dcd3ca537bd6d794b545606eb662142e26aa7211cf94614611da746c2797fcd90ff2ea5bd6aaf177
-
Filesize
2.6MB
MD5196a3addf52a73e1a2eb99adc0ed2163
SHA10d5bf224e5db9029151778760116ef351510362d
SHA256faf53b27747c764b966ca9ebf81208f8711ee4d5436266bc066520369a3c7136
SHA512350670b16037df5f9b8d20264a366aef1a78142ba254435ffbe764b55ec0028ec90443864205bd2a1f7ad33c4cad87a590aa3530185b4024ab29f59a0c480854
-
Filesize
588KB
MD50b3f97bd1d3f58c8cbd4c18840bdd73e
SHA12c4350cfe89924b1b93ea6302f0f7c01bdd6c56c
SHA256414af5c0b280a502f70ca3452029069161b1e06ab191d6e6960a42e1f0f8a4dd
SHA5122974e4f10224f839f6fd052313cda4ca47067c3d6990205117d9ffc0344f0f4585770d37cecea5c4dd6106416d3d72a97726587bc28b005d6b7f75443027f0eb
-
Filesize
2.6MB
MD5dc0e6f1a84e2c7c12fc716eb9030c8a4
SHA15cc2206705d7eb613729e5ed6c3b7bd495c0cd12
SHA256aa99df64c13a406fd8f01cdae452d3d12cb76d3821a3eff01a060e3b15944ed2
SHA512a99f148a285cd6b572310eb4141917b615dd57f4dcc1e56f9942ae75b8c2ffdae860267fae9a877a4a94dbf16ce29dc0017ca95ab3456c6ffa8eb468114c7e21
-
Filesize
205B
MD517d9436f564aef253fe8e831a9156832
SHA1a67299de03e0842cb77aefdab20bb5f8a91c76e4
SHA256c5770df1d673d3d36977ad36d345b7a56ae26efd6b08221a154041adb6cc4fa4
SHA512a0e9705af92c518a9e3885167e90c46b7da6ec33738ad445b72f76a5965844fb52aede2f19f019f42353d21db34b35ad2fd1b9965c7b655187b4b708484ee363
-
Filesize
173B
MD54f74f283b716bd69e7d3d29dfc64fd48
SHA10e9ab656bdeb3894615c9f60f3d5d0a59f421ca3
SHA256b9d266740c7d3b5c6d39e6187ca6609fecb5b1f0b0b056c28ae5df5ae24d8c66
SHA51226aac9e3df045904daa4ae590f4500d45784b73478a4e2ddb32c954aa00a7d1590488a03ee9926da0c9b922d291dc19a1c9d08f0fcae0eac4a7326b682cb509c
-
Filesize
2.6MB
MD5851e07c78a7ce4502537a9d70d5589b1
SHA1adaf3d3b146cbe9c70a0057ff4d6bdd16e115d72
SHA256aa0ab3109739c9ddb325195ac92800aa72e8c0a236b1904094db3b656d257901
SHA512ef7c12a1c7dcf69ec11d5fc19167672d4ac5667ffa7a32254e7e86947c03a131daf3c672b051c2d44d5cdcbbaaeefb255c347b07d6737218e9102385fe6f2d2b