Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:19

General

  • Target

    6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe

  • Size

    2.6MB

  • MD5

    af0ab76c356070b84815b4c61df01b0f

  • SHA1

    32f2b80acc2d834fe61091871125a1dd08295d50

  • SHA256

    6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6

  • SHA512

    a4e311fea5c61c86a8ba2d7195134108069c4930a514cc150adddce68c299926647cd77fcf82c54b4e9606bfec3425b3fa0426732f345010fb13dfb3e65d3f94

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSq:sxX7QnxrloE5dpUpPbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe
    "C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1592
    • C:\Files20\xoptiec.exe
      C:\Files20\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:380

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files20\xoptiec.exe

          Filesize

          2.6MB

          MD5

          b20f7d4c54036a30e64cb6be641d07eb

          SHA1

          fda800ba1216c059f35465e06becab8c38943f4a

          SHA256

          8e19ae92639cf5099352183254d421319951367cbd9ee389d88f0a83eeae12af

          SHA512

          4de1e1d1ffb07d3de603b44bc2cccbaa8ef0ffb3abb593872535bf98425e2379f5d93465a36072fdb9e0d9f93d021361ac947646c93d034cf92ac7f9834ef4ca

        • C:\LabZ4O\bodaec.exe

          Filesize

          2.6MB

          MD5

          a20764b45de737e2ff7f8c8185ae2884

          SHA1

          9d9567e4ebd6aaa7ca456e7a5f8e983d7e3a8558

          SHA256

          ecc8bbc11197e7706faf3d03423e670f3bcc6289d9bf1929f32be90dba395ae5

          SHA512

          a101fd43ae6ea56db83e0b9a6a5b3e5cda16eb6529b6a15c4aa74330c2f65f6a5e660eee02d724299e3829191ad320adaf105324143f7f4272f5c525fce5abd0

        • C:\LabZ4O\bodaec.exe

          Filesize

          2.6MB

          MD5

          a3f83ac2a8bbd00bcea91a44438cc75f

          SHA1

          e3e824ed6a0267ff6d979f43f0a16f924de9346c

          SHA256

          f77c70e7a04f94e44d7d6fb48008c1117343f429c731cc77197b8413b64a83e9

          SHA512

          02a5a2303ef3a31ada99d7ff19a9f6c2c033384806ab2b85a9b0fb780924a520c8ca969a6673e2c9266ee54c7fc3f4aa3342fe63183f6584758b735c44b9341a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          7c8be1cb4a67eb05f0fc4ce24186cd42

          SHA1

          9bffa052d87b4040efd7dcaca9fbf7294ee85431

          SHA256

          6bf3ef3c33de1249b2d841c33172027bff00051cb0beb72e24f69f993e60fc5e

          SHA512

          3b50aa48fdb4fe0af3cb64c60a13859618edf0c10a669c47a73e5f1081f6cf749ba9d874e29b1b909673e76a4237fc41df363294f2e13e4a02d5c2ec8039a756

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          0c91d76b769c1e2800b0bce2bc09d8fa

          SHA1

          d8e0e36e1524ff137c82776e77b601ef2b24745e

          SHA256

          65fde389716745020d7e43291be9f4e05a75cb80aed55b2749c7917a076de0ce

          SHA512

          56593151cda26b37ef79395339d552bedee3404225ecfdbdb1a5c37a6a67db3e27810a8ae3e1cc8c83d24381ea8d56b6064ec9a384511530ef1ffacc0456d585

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          45e35563d0b5da95ee2dc90d3cab3977

          SHA1

          48a2e3f77e7f08a755829df4f3472c5fe08c0ae4

          SHA256

          dc4b224b74a227e2f47574faae6321e7f776aa73b87a2478bfab53187685676e

          SHA512

          ed9ba7154ff93c1032cc9eaf23ec4e799babacb44e5037f2ed65eb0a6ca6f1f37a863c5cc7fb4b15153a644c7768fdb8910f16ade3c2f718ec7f9c04e11aa6e0