Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
Resource
win10v2004-20241007-en
General
-
Target
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
-
Size
2.6MB
-
MD5
06a8ce2ed29c283efd02f9ba5c161c33
-
SHA1
e837f4f40a14ca7563c207c9d29115a666a0fdf6
-
SHA256
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1
-
SHA512
02b1250c811b50b4d027d559e52fd1969defb177665494244c6c18f9078c44c525c7a029c16ca35a9a65949386258df7057386393bae096b3a3ce71e73dc46d2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSq:sxX7QnxrloE5dpUpvbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe -
Executes dropped EXE 2 IoCs
pid Process 1904 locadob.exe 2008 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUX\\dobaloc.exe" 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBA\\xoptiec.exe" 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe 1904 locadob.exe 2008 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1904 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 31 PID 1708 wrote to memory of 1904 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 31 PID 1708 wrote to memory of 1904 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 31 PID 1708 wrote to memory of 1904 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 31 PID 1708 wrote to memory of 2008 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 32 PID 1708 wrote to memory of 2008 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 32 PID 1708 wrote to memory of 2008 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 32 PID 1708 wrote to memory of 2008 1708 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe"C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\UserDotBA\xoptiec.exeC:\UserDotBA\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD515a24bbbb4b3da458cd9c81afe74a881
SHA18d4e31ba6298e565e1011e7bf6b1a43b6d7c34bc
SHA2562a64f9c9b8b4a6c35f9404de2a12a8e8451f4309ae41880bff7e8633a0e1672b
SHA5120e48aa45fccb6f04a24d55852eae74434e19cd39a4dab64d7e824ed3eca0c0ac6a6f813eb8bbcbb09c8d3f61e03d65d67fe8b3d06ad82c583baf956bc28c41c6
-
Filesize
11KB
MD56e48912c750d2a4af218228dfe476e8a
SHA18f0359cb3b03fc05f8d0ae4252aa2f0f938f5489
SHA2566b8e8492afa8a73802220d65a0081445b52649c7adb41c2a83e8b252554e2e40
SHA51294858d91585a291b7d07057ddfab384639fda1d9cd40f60502ac2f6de5e4385ada01e9a1a17288f7fa3c69de4f3c0817e5f1fa0a63251ef7975ea060e3ee05f5
-
Filesize
2.6MB
MD5c2d362d2959f546278d3b7d897bc6aaf
SHA1a0ed657faa3ca589791dcf42484ff82da29bae1c
SHA2565648f01596445059551a1d2ec14c000fc0bb6fb699f03dd2029ff3b099e70a2a
SHA51293da57d160e8c85f5bff99b5faa5d2ae452929a0e2cdd2a0bc7db8facfb51f09bffed2cfcb40204f7afe3d8f036bf39e0d5e4a19f2a70c2bac5b4a764073cf33
-
Filesize
170B
MD5768f718d2dc18968b98fee054eebafb6
SHA1ef36404826868bf009928cf6685d41f89093ece2
SHA256ba0b34b9b6ce221cc1f4d5982c95087ecfec9dce8cbea352975ea4b9a5371f4f
SHA5123416c2a9dd0c9caf809a4ba2250bc6502a87f2fde43dbb789a18e3a7a9202de7360dfb229d6ec1111e348d251660fae11ccb2ae7415f6ac5138fa28fb9e0f2d7
-
Filesize
202B
MD5df93e2d4e1a5becf412d59010b87304b
SHA1c912f8f3eef09ceb215e730248d3181f25e75d51
SHA25665bb6227efa27f0b97cf4623bec93ca4c58aa647ff945036ca5c292de6358ed7
SHA512fdcf83bd0bc73b5935fb4d9a85227a1cdc69ccb13bbcf331f0ddb8e39e72299feb7062ed86680797df57b96026ce2f9201707e6c315ef71c372e80e026ce8b6b
-
Filesize
2.6MB
MD55a3c84e0b6f0584bb1d8feb3a10cc1fe
SHA1912f1a245e64d158818dc632483fc761d88437e1
SHA256b3d7f9a35a31ac1626cb07bb9a4b023c50fb223332e88c9dc5df19bc0e678dc1
SHA512aff087a805b5726f4ecb297a09169c85474bc6ea5caf000a89db9b713400b2a190a323b2d01ec73abc7df6a14519ddc9dd4a8fc3eb18bbc38cd88f55a6bdd3b5