Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
Resource
win10v2004-20241007-en
General
-
Target
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
-
Size
2.6MB
-
MD5
671ca0e4036f5e4fd20da5fa86937dda
-
SHA1
6f7522bd908960c39a8279a20ece9200947acb69
-
SHA256
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991
-
SHA512
7910b63602e6128d32ee1c0dbdfa1cf3e2229d7ecd339348c2fb5f0f127a59cccffb80cd66bf711edaafbfd6a4215c90066aded58995ee307141669c14bc5ced
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSD:sxX7QnxrloE5dpUprbI
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe -
Executes dropped EXE 2 IoCs
pid Process 2812 locxopti.exe 2804 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZO\\xdobsys.exe" 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4K\\dobdevsys.exe" 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe 2812 locxopti.exe 2804 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2812 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 30 PID 2212 wrote to memory of 2812 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 30 PID 2212 wrote to memory of 2812 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 30 PID 2212 wrote to memory of 2812 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 30 PID 2212 wrote to memory of 2804 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 31 PID 2212 wrote to memory of 2804 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 31 PID 2212 wrote to memory of 2804 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 31 PID 2212 wrote to memory of 2804 2212 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe"C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\AdobeZO\xdobsys.exeC:\AdobeZO\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5204a05a10dad1a06e68b89c19bd400bf
SHA171bc9dfee106f6eb017fde5c50d3f8e21ffd67f0
SHA256eac2874a6bd90a38bde6541bb0e0fe6772f94304263602f4a2a8c38a5577a42b
SHA51201207948290b61fa7dfbd3ef8a6cef9fa7243dc7028a558bafc3bf632f201feb740ca1b7840fd620394b232f4cc01c7e64cb36c7cc071ba876c05b0fbef9ae94
-
Filesize
2.6MB
MD5983208efccc0e70698afe0543962a3e4
SHA1ca89037f6a5138a552cbdda879debcb1bfaf5cc4
SHA2568f67249b1fe79296f3ada958796d50d5c0d5186b1b6aeb30c7d7ff99e0598a3b
SHA512ffd580053eca1aafdf5d95fdff93fa672557a8f5348df54e9cb92d2c20aff5a57d5a4442edfc67473297ef6fd1ade395a7ac322e24060ecb72e147eca53b3191
-
Filesize
2.6MB
MD52a389542beea0684a398a5dc0ffff5d0
SHA16ef0a6408cde893ce38f1f04b0f9d7a1cb54ad0f
SHA2567ebc21e1f79d53d77b2cec73a62a1e6e84c79677df3a7244eb41912ef9cff61a
SHA51272984864685d14f94a0f69a43f274a572f7db9ed84fba4240835fa5d25711e439c4959b3931e2926f9edef0bdb071bfdf02fab7dcb0233285d356d197de5703a
-
Filesize
171B
MD588d921a41fabeb3cad4ce9e179f5d6e1
SHA119aabb4bec95caa868bb6e01829d9459450d1caf
SHA2565ce5c0d3dce7b80ff08161f4e65b840ad114241035a52e22dd049cc6574bea42
SHA5127d66d8d348fda6b366df36969c125fd7cc69efce1bdbe166ac911ab83ac1784cef1fc8149fec2088e30c544f4f50d65198e54ad29533a3e176271b7dc119ad91
-
Filesize
203B
MD5e2adce868aa9c523bf1bd47f7ebc6267
SHA122c9db77b048cc3d395a5141c544655371e13968
SHA2568180df726a823381aaceb846b1508e688c99691e8ae4f1ff743c6db619fccef6
SHA512aac07f8c425ac2d688b20cdcd6b89463b6c33ac63298ab89a96c6278347dbac09bf07073991941f987f7bca5bc22038a1b19d5a32d94338daf8121d0fa419d0b
-
Filesize
2.6MB
MD5952164d9539bb6fe373932b7659ac1e2
SHA19eebd7f07a6ab972884b53db9d96c6dafaa40764
SHA25640f9e615c5d49a137b7a5936f7d0911d49ddf6199cb32cdf819b5fce6f591210
SHA51279f34ed4f9faa84e3b64d7c43b9a868fd1b3ea41024b0c9abc4e3651bd3f934e2e59fcb9122db7b6e09ce584540edfb04d3e7ee5dc68728cb728b294ef5716e7