Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:14
Static task
static1
Behavioral task
behavioral1
Sample
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
Resource
win10v2004-20241007-en
General
-
Target
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
-
Size
2.6MB
-
MD5
1a9eb84e3c93211f62724b53b0d7c603
-
SHA1
37dee78b4ca56a1671b13927063cc2131e6dc565
-
SHA256
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9
-
SHA512
26512f8bcb571306b20bebab9cc7ea682c1a76b54908ad2511cd5ab0ff64a5c3807b0727ccf74fce877b400a19bb5cdfb3b406626e1c0e5cd48921b2a7fb147a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSP:sxX7QnxrloE5dpUpbbM
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe -
Executes dropped EXE 2 IoCs
pid Process 3632 locadob.exe 2376 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotL3\\xoptisys.exe" aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHY\\bodaloc.exe" aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe 3632 locadob.exe 3632 locadob.exe 2376 xoptisys.exe 2376 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4736 wrote to memory of 3632 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 87 PID 4736 wrote to memory of 3632 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 87 PID 4736 wrote to memory of 3632 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 87 PID 4736 wrote to memory of 2376 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 88 PID 4736 wrote to memory of 2376 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 88 PID 4736 wrote to memory of 2376 4736 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe"C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3632
-
-
C:\UserDotL3\xoptisys.exeC:\UserDotL3\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD50f096bde926842f74e4216a606ed54a3
SHA1454c2318195e7b5b78897b16806aa5f230bb185e
SHA256afe422d3bb46cd851b457adf36c246b8e22dd4c60ab13cca58515e163a9a0e17
SHA5120ad3fa54a5af275c255125d9e5731328e039f0b7d42dcd7749791e0a8e124c71ebd3b26bb03ed2906ac30de6dcb0b17dbd628e9a946ea534078a46cb2655ac6e
-
Filesize
2.6MB
MD5cdea3c5d45bce16674bf4612a65b93f4
SHA18308b5a774838a9236da1326b70b14a5f8c91e4c
SHA256b9cf282994ce2487d62dd8704dd0e62eb4f3c73bda08e5f8dfddd3efd8003459
SHA51234d20b73b5122e491743cac479a1c919609335440d54da7bfd5ae50aeb9c451cc3b561c8693147df989b6e0090de18295b575deab1e07cdb7b6d58c9ac804098
-
Filesize
202B
MD583a03821b1431c679a0d1fb12e7cb832
SHA1b3226fc224cd3de7274b7539bd87adab3f5d8e76
SHA256bd86b3e1eccaf4e8fb6aece2e62074047d9eef3cc5797d599010306ab166c9da
SHA512f184f2837723118fae860db654c2d513582d76ca06119123b28774cf03dcb3141dd8f4dd79fea3c86b944015c85c84fab41968d85182ebcb8382fa779fe4ca18
-
Filesize
170B
MD5b1b6d37877b97fabd382d4793edf0ee2
SHA1bfc4d89f43864bf4b898106e57979971abd00f05
SHA256a06d52963bb534940aec8c4751eb7021dc143dfc1f2a348b14d58644224601a7
SHA51270415f17461a5c65488aefc5c0a1e9089c05695309dd1c62b77bc9fe3099680886d9817d78b9bd3346d81655319321bc541d7fe916e4110bd8c820c6de5bad51
-
Filesize
2.6MB
MD5fe8cb7b75de0a32186b5a430e7017303
SHA11bb3c85e73d82698f69b28be0437377db1a819c1
SHA25652dc3766725fab89ae68d0c80906f297491dbf1f131f6f08537b4fc57ec50d31
SHA512f4f59b8e0cc5c9efdecadfcaa498359d0d44e2cebd50dcae814afce4f18bca68556de04ff819d2577137dafbce710c02e9e972a27e3615de133f2294a8f3b884
-
Filesize
1.8MB
MD5a11f76255b9ca6234bfd6aa66474643d
SHA1e3cc3fe2e8e1a624e3288e828320a33d91a8d733
SHA2562a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6
SHA5125b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56
-
Filesize
2.6MB
MD52b4e66069f32fc3110e81b0b727864fc
SHA15c628552b1f7f727c9704f4143c0699ef2b7e865
SHA256b1bcfaca5d2691c39b6271cc9b9bb3ee9f4c9db629d94ebf57d99087367068bb
SHA512994232945960d3a584de18240abec2fcdb9125a3a9c6726f1d7327cadfd27c7bceefa0d5b98f2b5614fe6f01bf3496e62637e1e05e04009625bb5e1b796287b7