Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
Resource
win10v2004-20241007-en
General
-
Target
dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
-
Size
2.6MB
-
MD5
87728a415246cf1e3538fe76b2acf843
-
SHA1
3bce8a71a9c0718c9d3a044457ea55f8b3419bb4
-
SHA256
5176155f86655f989e23071d0faf656ee8d09890c0b52771cfff45dc93053a85
-
SHA512
39eb8df8e93f475534011eac272fb0a36909bd080b7d2db9ac04a0bb8fdf152117fc7a63c67400fc3bb5ef731be66f798f1822bddbb3ebdbf6b0fa2614a3d41d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSo:sxX7QnxrloE5dpUp0bT
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe -
Executes dropped EXE 2 IoCs
pid Process 2416 locxopti.exe 1824 abodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCO\\abodloc.exe" dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidK3\\bodaec.exe" dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe 2416 locxopti.exe 2416 locxopti.exe 1824 abodloc.exe 1824 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4680 wrote to memory of 2416 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 88 PID 4680 wrote to memory of 2416 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 88 PID 4680 wrote to memory of 2416 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 88 PID 4680 wrote to memory of 1824 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 89 PID 4680 wrote to memory of 1824 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 89 PID 4680 wrote to memory of 1824 4680 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe"C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
-
C:\UserDotCO\abodloc.exeC:\UserDotCO\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5ecb86671afdab56d722dfdbaeb1dd77a
SHA1c42c6de98e313d5aebd3a56a590a090001722241
SHA256061f4d2321acb2815360a70045dd2e0e9dffa26d8a1cbbbd53e3975a2390366c
SHA51291f978d46ae705fcf026ca97f2ee273c416495cc0b6d41178aabb563e1b674914d8f34cd9e07b832780c89ab0ac2d5762e9299d9c73c888132f2fda05dcdfe5d
-
Filesize
2.6MB
MD5443855c5857c94fabe94ca66d577eca8
SHA19e93dd454341ebd6cadde580084cee79322d86f2
SHA256ef99ff242eac57b88f586aa522becd64d9ff3d332324a1864ce8db9e6a1636ea
SHA5128a0c2b37a378a25542ce7fb6e771dc002d75978ba2485c3a19ae369481567e96d3ce9573899c55bd1da9965f23e5657847a0774f91af7c9c68d050208a161fea
-
Filesize
201B
MD5a3700d6613d85833a8e2738e5a8359e8
SHA178e06c6364601d9930503dbbb6af78e97ce34bc4
SHA2568ce9a1cef82f7d0b93fc4bebb1eb8e020cc2c149022e396f5f64c4e397e26249
SHA5127e0e1dc76e4d2548ca06f76c4efbc8d762e0f178908d3fbc2c07964626d02ae9d39ced61fe17a072485af305432f959413640bb24004bb810ce86d120499d556
-
Filesize
169B
MD5b5fd6c4342da1afa99627d879a644dfc
SHA10475b557d14c4ea21f926f7f1064814efa335896
SHA256b4e9c9f405e3993fe943b67d75a220c9df9280441a30a73d32061e38b41893b6
SHA512e7b55b63b7f420a8a7e0f53e80a50f3a2f320d27868e55904609bae7aae5116ca389cc41a8dffc28912a3fdd2ca49c8e3f217b4b793d50d36aa7e6be00f05771
-
Filesize
2.6MB
MD5797c6c23837628dbd55c18ddabf6b317
SHA1387c05cb3c1bc5de828b162cb7e6ebc592ae87d3
SHA256c9c6b9326a6e3d8107a34011402e3ffb5bd219ff294405a5bdc5e749a7c47e26
SHA512c745769109417e785da991716b414a85faa0de023cb6b69afd5afdafbc522759a45abb0e9ae8a67921bf8a72069629f2eaff6943bff03e73798718579cd2f780
-
Filesize
679KB
MD590a958f21a4ab169735076960458620a
SHA16ff165f5ed17e5b805ad4e0d69db4748ce9bc551
SHA256d72b5c17982e729ed1d069d2f62e2f79827b4088f3d98aacad9730705189e97f
SHA5123d5c83a3f6071c2b98765ae3c6bb3686591605d4513e0f343e633f6046ba5f8d3d32fc5358760a17e6c898bfc1dd0d1294a2d9c4c8a6379cc25cbe99798a3205
-
Filesize
2.6MB
MD58fcc8739408c0e50387d04fc8217c0cb
SHA1c3ed4cc84043986c74e25f1b08f66e248578e162
SHA2568afb7ca3de15570d981252c2c9bb3f6340364fef6e4ba978a407d07161fc7715
SHA512efb0a0d3522e558b2e98925a82a15a7ce82b166ec31d111b08120a852ed1afd096ea4e8fb4cb314b36230af1199903ae4987e85961945a2949db94e33ca10638