Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
Resource
win10v2004-20241007-en
General
-
Target
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
-
Size
2.6MB
-
MD5
905d011a98a1a1811ba2223a881d28f0
-
SHA1
858eee90065ff04f060b3e24ad01be50c29544c2
-
SHA256
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44
-
SHA512
8ed38b6eec1e6a871f3c9b41e0c4c2578c67253f429eb68492237fab19aee36e136610feab801889825e23953671dac6ab1bb42aa85a0b1ea2315655bc33eec1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSq:sxX7QnxrloE5dpUpWbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe -
Executes dropped EXE 2 IoCs
pid Process 1704 locabod.exe 1836 xoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot68\\xoptisys.exe" 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxES\\bodaec.exe" 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe 1704 locabod.exe 1836 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1704 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 30 PID 2388 wrote to memory of 1704 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 30 PID 2388 wrote to memory of 1704 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 30 PID 2388 wrote to memory of 1704 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 30 PID 2388 wrote to memory of 1836 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 31 PID 2388 wrote to memory of 1836 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 31 PID 2388 wrote to memory of 1836 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 31 PID 2388 wrote to memory of 1836 2388 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe"C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
C:\UserDot68\xoptisys.exeC:\UserDot68\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5e3c26f88b14df08468774142942efd79
SHA13c68474d943567be9a949aeb7e84596060ff2039
SHA256f323527e6dd64a5705c54fed7af93a3f6b4eccbba8c4e7a547aae005be1767c6
SHA512bc7c9de747fc0a58bda64369869aa6362c0f54266b6f1a0ecad18469808494c9352d024ab97445a7957a554632a5dfcd0490d44acd199e3e3287de9cb34341eb
-
Filesize
2.6MB
MD5fb338a55370167b7e886f48e20bf12ef
SHA1d4d98dec886f2e89d2460c28bb75c670dea30870
SHA256289a0488d65b14038e6e35755cc3ca09ba1d37e2533bd909b8f899267157c7ae
SHA51260b657d7cecad71f4c606c0c314883aaf8b2632e0181b64189a1b3abff0d40d31a9d3d76567549320ac43552b4942da6e22a9dedac5bf97ecc42302e66cafb82
-
Filesize
2.6MB
MD5161250e1362ef11bfd3e438648bf4e4d
SHA1d9578c45ce6738d9e2702f2679baadb09b633080
SHA2564ceb7e47ba3eebe7536d747ff0fba4c523cad3b517c3f170ec47955ac8613134
SHA5124edf8b020292b77b8af1b7d8b9bc28a48c4c55bb4f9e0ae30367620d604445493355fd43d45fc558d431fa75b55c3989d5d37462c765988b1f5f0fbbb439d953
-
Filesize
171B
MD561a4e943e276350e545472f356346ec6
SHA1c2372693a7a18974b818b6a3f478f3573d766e3e
SHA256039a88244cd4c0b30cd3d701a96c9f7139194e08ca58407158533f06ad4866f8
SHA51227b0d726ed9b8319b664615064bb1aefda5430cd978572e0d2e6c2c5fef878e795789fd7de0c3a5ba69065d58bf6db4c1e6371e959da5da48d141dc1cd4d7455
-
Filesize
203B
MD5b68f5cc85a7ff2ea0eeb772160bc1574
SHA122fccb8b7b1df7ba732d707fe476561a82b6e263
SHA2564a07c9e9dfe835c6df1e8c8c7b55a0c0b3a9bfa3f948893743916ae284326763
SHA5123f0ababfa58fe400dc0e02cf512f189cf8f81a144a23543810a0dde99a3b91cb5af8215d6c6b3e9c0d12c36167a18da1610a0588d4ad3d2252a1ef3757bd3498
-
Filesize
2.6MB
MD5d9245070145e6b9bef2051362f7ec7e1
SHA1967d89e46717de5d2636bdf33fca76518f5071af
SHA2565027010129cd490ec576a5ed049ed13d951f463500788d6170c8aaae86c549c6
SHA5123b25cdba46cd781e6eab152946f9096c17aafe74332d5871d8bd35cfdf4a5a3498f0a602997e34de64c61360456066162974a187102c884f2c8dc78918fd063b