Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
Resource
win10v2004-20241007-en
General
-
Target
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
-
Size
2.6MB
-
MD5
6d95fae96a1934e6ddb07952c4ff8650
-
SHA1
6750b89dc3d53d195b1f4b20be35f12688e3de66
-
SHA256
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c
-
SHA512
dbcd23134f03e33b8331b37f8fa2b138c75bebae3e8729cf412599cdbacdc9b0fae6058b921d0e99f14c4cea29173a1936ffb960f99370e2eec45a9f7ebb0adc
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSq:sxX7QnxrloE5dpUpjbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe -
Executes dropped EXE 2 IoCs
pid Process 2952 locabod.exe 2500 xoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJE\\xoptiec.exe" 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIM\\dobxsys.exe" 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe 2952 locabod.exe 2500 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2952 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 31 PID 1924 wrote to memory of 2952 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 31 PID 1924 wrote to memory of 2952 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 31 PID 1924 wrote to memory of 2952 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 31 PID 1924 wrote to memory of 2500 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 32 PID 1924 wrote to memory of 2500 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 32 PID 1924 wrote to memory of 2500 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 32 PID 1924 wrote to memory of 2500 1924 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe"C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
-
C:\UserDotJE\xoptiec.exeC:\UserDotJE\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f020dc7e2095dc5658ba4564883c1453
SHA1a06d9dabff25e6d44c78664670c1f8b3163d146f
SHA2565b30be4646a2b9f6f81aa36c7dfe3661be2f3961b7e9ed39bfcc0231bc3a04f6
SHA512bb09e4fcf3967ed0e6ff2df77243d949fc558154c693ed63df4c715fabdbdd62b08c3e841512b1be9cf0c192ece3ce079d1d29abe0df39315fd38aa8eef33df1
-
Filesize
2.6MB
MD51a6aec8827946280048956765844777e
SHA18ce362d25645660f5be624b470247e130e31ce26
SHA2567ea08cd36ddb4e7deeba31aa66ad86c2217468d6eb8d26ff853621c308697c52
SHA5123cf8169b452c3fa31057204296e23cbe21792f92c47e2773969f0681fedcef2ce2930bdd631542aeab5036760842b5183eb4b0126c5699796b09c5e3b7e614c9
-
Filesize
2.6MB
MD5cd16fa8c4b01b0d485a48af1ac1aadfc
SHA1a3a22135b12eb98aeb06092748c58f6ccf27ae47
SHA2560708d04e6393144f128fa2e9fbde4148cc53a7a5030313b697cbbe3552e06dbc
SHA512685b4b8b1099e99749cd20e4300f87921d0fdfbf313ca2c338a7918175da520cf93550ae39bab5f5cf78905165aee94a3d9f0099018451fcd74babd2132e56b8
-
Filesize
170B
MD580ccbf0c472ef7fdc919cb456b91923a
SHA14535910f03ab2ba6761966c025c97a7083d282aa
SHA2561444215d6fb11b55d8f7cf248b19e578cd2cb727c805def619894c8bab56917b
SHA51233b61c84fd7cfad0d3558a803f24ab93c970e106ed9a954045cac376978f61fb8eb7757ad7c380f3e38043848477e0787b0d686477bbc668286bf12890e69e8d
-
Filesize
202B
MD5356c66ed7173adc9ebf03dd0d2bcc61e
SHA1292f34aff19a8064652e1d720464ff55c0957a72
SHA256cb0cf04ef9fdacb5097b3787cf23256b0581e172c93c22738d65cb7a77ef230d
SHA512c713d633ea137a81cde284b01fc6b6481eed5215c0e2ffbedbaa5e2756e5b5c563300816dc2cafd729537a33c62a79c36591beff5b8c05c5b2490e638461ead6
-
Filesize
2.6MB
MD5346a8d4aee7236db8c62875889aa54ab
SHA1e93bcf3bc2a956094568443649382f83c4c82044
SHA2568e62d6114c433f3c778a11a8c527142b664a1165887af03573fd37600710cca4
SHA512f6034598ed031c92d72648eab6de3941070da5fd189c8b70590b5f89c29bb2f59d6e34ac3e7d1167135069f1a774d2888dd666b09080d68bef6f5a989f5d5929