Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:14
Static task
static1
Behavioral task
behavioral1
Sample
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
Resource
win10v2004-20241007-en
General
-
Target
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
-
Size
2.6MB
-
MD5
51681a2932a495c3b9714864d135d83d
-
SHA1
de0d2fd21ad60b3334fd41713cc0327d0421a255
-
SHA256
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1
-
SHA512
80fe1478bf47a44ae86dcfb79941601d0156dea17d8a573f6b573e50c0987692c5de14e39d6b210152fb6859a9d44bd23e6614015df39e208ae1b2d078f125ea
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpAb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe -
Executes dropped EXE 2 IoCs
pid Process 960 locxopti.exe 3948 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSN\\xbodloc.exe" 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint57\\bodxec.exe" 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe 960 locxopti.exe 960 locxopti.exe 3948 xbodloc.exe 3948 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2452 wrote to memory of 960 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 88 PID 2452 wrote to memory of 960 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 88 PID 2452 wrote to memory of 960 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 88 PID 2452 wrote to memory of 3948 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 89 PID 2452 wrote to memory of 3948 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 89 PID 2452 wrote to memory of 3948 2452 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe"C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:960
-
-
C:\UserDotSN\xbodloc.exeC:\UserDotSN\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD505d1aef499a939a45d386a8773bff2a5
SHA1ad23ecd183b65f96f85a66aa60f835efe4dabb75
SHA256197d6eea47694e002dcdf2f43e71cd5ab6c52a23efc75bdb466ed23c58bfdcb9
SHA512c21f6eceb5aae3a9d484a2f2979edcd2093dc57bfebbd6befd62cdce27c8ff83f6c2e1b25aabbf1c7da1e55481cf5f5a48fa4d9e67ecbdc61827dec2d247e4c7
-
Filesize
2.6MB
MD5947104c8b41fca399fa03468bcedfd4e
SHA12dfce5587a6efcb59bbdbcc9543810310ca8c956
SHA256a51539572e51ee889fdd617ea4ffc38f91b7687a281a7c253a6079012de17502
SHA5129206f32e1f28202f56f8d3de0c75ca5cd7d391c7a49a31c51df82390001627974f0f059eb83f57c0df8d909b8355d29e7858f8484f765195f4f0e1a5f3c2710e
-
Filesize
2.6MB
MD584bff849362b58596c334643a7dea5c3
SHA1a1cbb517a83f7657b1a0a0b0cf912ecb501fa42c
SHA2561367645ed02073b8d5c33a7223baf1daa69a8f5d9321da6f494ed38926f5e226
SHA512d64aa0ea98771322b735cb6e1a31709c4bfcd21bf8f7153c161d661512631acc638fb85a2f8142a389d42ffe882a15bdd5529db7e48029f25d14eb080c31c4ff
-
Filesize
202B
MD5d03626188dbfa5b30c4095b58bd0585f
SHA1b66fe4235651fa049bd8e7362f4a4564a4cafadd
SHA256dfed6466bb8caed4b0048584d7869ef3471dd085aae220d7b02d4cd2e8336dc8
SHA5128ee78de66f36c43a9f576a583adeab6af788fbbb544834ce97f177d3d4ac94eddae6f7e9b047f8b214267916683fabcbbfe5e8eda9c1ee112f927ffaf8c15e90
-
Filesize
170B
MD56aca7155222b526ff79b7c3d945eca02
SHA13f32d5821ccb482669053ebcc71aebaf01a790b4
SHA256e278a6c1da1f3ae86ba343f5128771a760ed18b7fbf0fc35c1d2fbef29633c3b
SHA51251add21cce3b3336e33ad6c5741760104420bce1b5abaaad92a5881fa52b4495495e4c909420d3092b5abce61ebde1d6586cdc7e144532d9a2732974696648f4
-
Filesize
2.6MB
MD5bbf77e00c4dd7f647f66c7b54b0c32e9
SHA103065422d67adaa9e1eabcf60e2dd3163bb2d9f1
SHA25634f271953be5d57042931b292b069b6483907e141d5b4edb01c19f8968adbc65
SHA512e6b288de36111b085b8f9d37cd75188cc739325683468cea35f4c0019ebc414f563f6a2d154b51c4f9c47e67d88ed0f5f7c165bc33d704159e8ce3e18ba0df88