Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
Resource
win10v2004-20241007-en
General
-
Target
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
-
Size
2.6MB
-
MD5
86136fac208ef5fbe52c2c0dc47f154e
-
SHA1
c949bca829e4e76f44c759f102fe4bc82349ddb6
-
SHA256
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726
-
SHA512
cc0b82fb598a230aefad1e09db71cf33e37a6626361ba7d107c276bdf3b575b195236dc868caf31c8f21084ee9a6c10e8d0959426b8e48551be54ad7208cbce2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUphb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe -
Executes dropped EXE 2 IoCs
pid Process 2408 locdevdob.exe 3456 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePP\\xoptisys.exe" 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3W\\optialoc.exe" 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe 2408 locdevdob.exe 2408 locdevdob.exe 3456 xoptisys.exe 3456 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1092 wrote to memory of 2408 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 89 PID 1092 wrote to memory of 2408 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 89 PID 1092 wrote to memory of 2408 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 89 PID 1092 wrote to memory of 3456 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 92 PID 1092 wrote to memory of 3456 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 92 PID 1092 wrote to memory of 3456 1092 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe"C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2408
-
-
C:\AdobePP\xoptisys.exeC:\AdobePP\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ae2f3c238908537647c4ad6c943e0d8f
SHA1f88ee9224614a19931bae0a64814d6900996c39d
SHA256b7cc3a22bb3a7684d4a5104768a8c61ad026fab2746051a24f32b0ec809ef03d
SHA512a0e0783705201c0e8136da4206581b9d93ee44a44fc6c0aacb1f0330d7af63238b661ed98310b97d820973b0c6f886e888d05f33d47d8f95313e236867459767
-
Filesize
170KB
MD5c1db393f218942df177f17095ceae84f
SHA1a3bc28ab86d669b7c669cc8f576e2b8fc5cd9376
SHA25697e832b5c5659402a71378977b6750da48d6bfdecaa8615333f5f7b23b4b65af
SHA5120fc1927d64d33d21e70571f82497fcd4508f6f65c0c11d85a5d8d5344a7219dbe6c3e8e0b9d922ce479bf7b068e6b9a2dd3c771b0f9b595d83d4ac83dae83067
-
Filesize
196KB
MD505d1aef499a939a45d386a8773bff2a5
SHA1ad23ecd183b65f96f85a66aa60f835efe4dabb75
SHA256197d6eea47694e002dcdf2f43e71cd5ab6c52a23efc75bdb466ed23c58bfdcb9
SHA512c21f6eceb5aae3a9d484a2f2979edcd2093dc57bfebbd6befd62cdce27c8ff83f6c2e1b25aabbf1c7da1e55481cf5f5a48fa4d9e67ecbdc61827dec2d247e4c7
-
Filesize
205B
MD50fdd8ccd8186e07cb06a5957d55fb3de
SHA17cf3ecf6a9befa5e0a133b5afff154d1e142b8f9
SHA25626e527d67c04c7fd4164b9b934c1d1e6d1b3c608fb6fc9c90557740a016f03fc
SHA512c8dbc603d10c6b7990fc4898a30585dd2a6556cd6cec2be61ac210f204390532afbbcbd7317aea8c2062e6d7c3ba638ea738d44db267106f54a6dd83886b0949
-
Filesize
173B
MD50a22315311f558d805b725cf619e35c9
SHA1f4b933d2be6036c8c6c894504229ae5a6be4dff9
SHA2569c1331cc3dc4cda5577ee183b8a3acc0eb20027463fe021ca5732f13c5428fc5
SHA5123cff51802ca19bc60cd7163743e2a557709dff950b5280a8c355b42337733282e170e847cbb3b37b601cb55803256660ef3e4bf8f3274ad035a5d080ecc3b2dd
-
Filesize
2.6MB
MD5c46eb6abeea8fdee438a726526b1c81b
SHA12362db702e400fed2b484bcebb82524080b75c97
SHA2566bb64d782998bb2a9fd2d7ffe4263c6651e7cf62ab6bc4fda0c9cd70d754866d
SHA512edde68ce00dcb1a571c937be7c3a1128d743023663f9895cc67f2c635845b5a431fc867414c116b08af1df817946d1c05bcc3cd67d0c662b6b4d738945df1adf