Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
Resource
win10v2004-20241007-en
General
-
Target
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
-
Size
2.6MB
-
MD5
cd73125f1fe8152cd43f3f5578c8baf0
-
SHA1
5b24f6dc3a9dfd3c96daca88b89fbf2e46f2972e
-
SHA256
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111
-
SHA512
6a552589b1f1ab116f526e64096d495e697871c86409056b80c0654a68dd74eedf3ab9589ec0b26e3faa559bdf042f32116f4458101d19049715a7621b044bfe
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpwb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe -
Executes dropped EXE 2 IoCs
pid Process 3300 locxopti.exe 1612 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSN\\xbodloc.exe" 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint57\\bodxec.exe" 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe 3300 locxopti.exe 3300 locxopti.exe 1612 xbodloc.exe 1612 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4880 wrote to memory of 3300 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 86 PID 4880 wrote to memory of 3300 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 86 PID 4880 wrote to memory of 3300 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 86 PID 4880 wrote to memory of 1612 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 87 PID 4880 wrote to memory of 1612 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 87 PID 4880 wrote to memory of 1612 4880 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe"C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3300
-
-
C:\UserDotSN\xbodloc.exeC:\UserDotSN\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5984b9e9b5d28b5b00d95702ebdf1f6b1
SHA14c45f4935e06a287dec7463775bd44507e37a397
SHA25602cb9b97f4cbd6c10e92338c3782b0252312052afd61c21091fffc720c8d6f56
SHA5125eee150ec11092fe77242f02feb9c1859007a2ae1d4f0aec2b184a4cb57a37fc9af1218ed223a6c3ceb69f98f253f2514016532473b5be4953ee7fc8fb42cbbd
-
Filesize
2.6MB
MD5694f7e6f60fc1bbd7c5f139df913960c
SHA1a7c1cda14b461f46b55c060fa6c397e8804c0003
SHA256851012d6efdedef5822ad7c81329b307f0a8f4abc21cd91cc8583bcfeda42e94
SHA512efc25fbed8ab16cf023eab0b95ff9d402a0dadb5cc8f3738544b50db4c9f341ccb5ce4ed2721d01f95f61d76179240abcce901e6f9e0cc0caf7fd03404e8c1db
-
Filesize
2.6MB
MD528c552a60403152971ec00b8deef5125
SHA1ebca3f4ac61aadbb6957ab51bad57762fc9c4883
SHA256421e9247b0709ae843cffe2f5e2bcbc096e4401a0339e3edccfd0baa3011c767
SHA512aca93b5939f6f19eba1831bf614aba055b11c93aec40cd9c4606229bb5e4758d000abedf3ab95bd038a6219faedca7c50b696ea967583cda4caf40756db13615
-
Filesize
202B
MD5d03626188dbfa5b30c4095b58bd0585f
SHA1b66fe4235651fa049bd8e7362f4a4564a4cafadd
SHA256dfed6466bb8caed4b0048584d7869ef3471dd085aae220d7b02d4cd2e8336dc8
SHA5128ee78de66f36c43a9f576a583adeab6af788fbbb544834ce97f177d3d4ac94eddae6f7e9b047f8b214267916683fabcbbfe5e8eda9c1ee112f927ffaf8c15e90
-
Filesize
170B
MD56aca7155222b526ff79b7c3d945eca02
SHA13f32d5821ccb482669053ebcc71aebaf01a790b4
SHA256e278a6c1da1f3ae86ba343f5128771a760ed18b7fbf0fc35c1d2fbef29633c3b
SHA51251add21cce3b3336e33ad6c5741760104420bce1b5abaaad92a5881fa52b4495495e4c909420d3092b5abce61ebde1d6586cdc7e144532d9a2732974696648f4
-
Filesize
2.6MB
MD5bde87da5c6d7744fa84365a14f4c495d
SHA1197c27cec879917ad8bdf60a383ad9c54eb4fe99
SHA256c85cca32a0e49659f75b30f99e271fa59e606002d61db5ab622bc8aab3d1c29f
SHA512bcccbc12e2f62a7f702cd76c7d624d7148d07bc867ee98651d4f8d7edc35368e37fa59c2f0a165b2e723c907377120cff4328604c731453d95049787303a9a5d