Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
Resource
win10v2004-20241007-en
General
-
Target
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
-
Size
2.6MB
-
MD5
5de6be5c30bb2135981ae6980539632b
-
SHA1
8e3d53cdf18a38a840114294342ab829d82d254d
-
SHA256
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f
-
SHA512
822bb6bdfcc1acb0a56efe7b8b3d1201898b13196662d80e0c8c736191874c67430b32f0d65c8c3295f8fd0689a2dce36313d3d98a657997091b873ced15ea53
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe -
Executes dropped EXE 2 IoCs
pid Process 4720 locaopti.exe 2632 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTN\\xdobloc.exe" 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZW7\\dobaec.exe" 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe 4720 locaopti.exe 4720 locaopti.exe 2632 xdobloc.exe 2632 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1468 wrote to memory of 4720 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 89 PID 1468 wrote to memory of 4720 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 89 PID 1468 wrote to memory of 4720 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 89 PID 1468 wrote to memory of 2632 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 91 PID 1468 wrote to memory of 2632 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 91 PID 1468 wrote to memory of 2632 1468 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe"C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4720
-
-
C:\SysDrvTN\xdobloc.exeC:\SysDrvTN\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5eb0854f1c4599efbeaae41929be8ab2f
SHA11e536113d97980522ebba0fd8b464b85dfbf57d7
SHA256f9396c26c643eb1c9aa792a5a328848358f2e2f86db37464c2472ec9c10a7f56
SHA512fea419f0d4f2e1cda3db0ffa8d8de2256c2356c96e3d0977c8d253eb1c4035d68de8012ffe7f7e799b8773e284e9cf95f7013397bbf200f98f9e15b6020c37b8
-
Filesize
1.1MB
MD538542fa3467ce24e7157648d0f5318f1
SHA176d5e7462d48089828af1f57785dbb52297f6680
SHA256bac4442e8f1776f41f8ed0d21995a1f810633ef8dd18cc6d7c08b3c1a2b208ca
SHA512121ccc105a5a14455ecf5231be025f16ea5801ef773e239c52640a922b76b4c0ee7dc9b14d0fa5edd733db24f70cc491eab1193acaa10f460b9360082424d546
-
Filesize
709KB
MD5f3d5287ec8792bac099aac22ac08d1db
SHA1ea746e06ed26a0177c811ee7ff97b97e9730afba
SHA25652adb8b87905073cc6cd29f095b19ead230f8527976d4eb7c9751442a953c6ff
SHA512043f0fd5025e71fa7a1f7bd38b3ecbc6dbd7ff2b960abe801212c562ef2ce6103aaf33b1aa236a74c38ff11fad7d47dfd1d972d8cdfee854282c9315fa43ad44
-
Filesize
2.6MB
MD5782b332ae238d36d5bb08c01e5b8733c
SHA17eb97d397446d0d5fa4c9eeeddef2213e110f831
SHA256cfe8e64c1099128bdd6e2299d5bcdaf0158b238fd63d1bcd2bfaa0a6a9d4d253
SHA51217179933608478ade6737cc272dd59530f4c44881adeefd48dae7b9cc3abb09090cac368e190e24a576f72c06cdf7f888243ef6c6ba81a683be96baa96fd01ca
-
Filesize
201B
MD50397f9679454460eb8be34c82e6474a5
SHA1a8b7be9cb1ee3c6119040f4dfe8077dd3d134f54
SHA2567040e03ccb59e6bffa4e17e9fb0c6f8e8eaf8d4e56a3ca142257e91297c416bd
SHA512d475c0e007b4a32decc6e12b31bd785db37e8e34288ad2507cf7c0c4482ad28a3fb5a4cdc85eaee51745b3c6428b27ff6c31648daba76aff65411cc4ff8f320f
-
Filesize
169B
MD555f62cf3de962006e476202e364b72da
SHA1a05534aadbccd9335b06cfe577cd36deefd4952e
SHA2569099c54dae9f03767c4198ead281a8889c95387f6570bde6a170c3312571a31b
SHA5126779091cf1993eb7ac2fd3520c15528a426dfc4488a83f07738b115572ddaa224df6ac73650acc2b669b8fa911c94525b41ec02e332394e2ad72b31c0fe4bccb
-
Filesize
2.6MB
MD5c1fef6edc73a3103a3883d7e02a78ab6
SHA17afd289a4cfef1c66bafab50c684002767cf4f6d
SHA2563c26edc6b8336656b9fee07845585ca88cb29efd8a4693b138731957d8cca1e6
SHA5120233dba2cfb6377008c1f7532900c01fcf0900e068eb13dd1dba35e8d252a926ebad4f2c65b1ecd06471f0cc618ae38002d7842cd4252f12144b052efad1ddcb