Analysis
-
max time kernel
119s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
Resource
win10v2004-20241007-en
General
-
Target
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
-
Size
2.6MB
-
MD5
69bf32f0b90f257c1afc1c95df1be3b2
-
SHA1
1e87ae5ec09ff190786587c8ba55b65a782e048d
-
SHA256
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c
-
SHA512
d0d6d2893d18581bbf62a9e532796a500145bdd1dab54efcb0a76cb9c70245b7d502b695ffddc2a2d9b798c68268b6baef6d58866e819c28dfc722d3f9c2e7c4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSN:sxX7QnxrloE5dpUpzba
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe -
Executes dropped EXE 2 IoCs
pid Process 4224 locxopti.exe 3520 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeK4\\aoptiec.exe" 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFR\\boddevloc.exe" 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe 4224 locxopti.exe 4224 locxopti.exe 3520 aoptiec.exe 3520 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1116 wrote to memory of 4224 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 87 PID 1116 wrote to memory of 4224 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 87 PID 1116 wrote to memory of 4224 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 87 PID 1116 wrote to memory of 3520 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 88 PID 1116 wrote to memory of 3520 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 88 PID 1116 wrote to memory of 3520 1116 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe"C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4224
-
-
C:\AdobeK4\aoptiec.exeC:\AdobeK4\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5e0cea268bad3b123570d9caec2099cce
SHA113f00da74a6ef1c0811b9cab4e60854c89afb7b5
SHA256a2353a4fdf4000c90de6b1df357b7305314af226ae8b32a889c7b5a89e73ea9c
SHA512f2eacb7dce13b911c7bcaa02f79273e80bb45e1336b6cd8916d5307f6e1f4fbd036a4aa2ae6d2e8e360c7a6eed9cd0f9200b7461c4895c114c778267b5887f22
-
Filesize
2.6MB
MD5f6ab502a17d4b2f1a256c1c9d98cba51
SHA18751375fe0655e7a237c02208bdec0191f2904cb
SHA256aa714439523f222beb45e86373e6bdb78d1b0afd619226538bd480a5e4292089
SHA51249c8d5615a3110359f80c433ee6a7113d8fe8871abe31d6c6a73943f6561c0b9276a612b01574efa5098474fe9c30547f434437387f7f85bb28c520a02c3a13e
-
Filesize
134KB
MD581ecf9cf41a0540cac035756315b906f
SHA1a47b40c8a1f385b68cd8c3fb6e25d0c96b792299
SHA256bf56cdf195d679617c2f5ce3c284eb80d2fead17b5b8875f644d9a93fdc06199
SHA51260380a981042dc2cd0b84346727611572e2eec25eeeb565f0a7155e37654bc23b0324d55a3f9926d7c18371d715339e6dc3cf62e125e0d97bf4917a2c1b65a72
-
Filesize
2.6MB
MD5874076d0193b6759ffff3c901c0fdd1c
SHA197a557a8df8a32dbe054882732305ed7c2abbf3f
SHA256a5da468c815de77c5e20b22fe80c11adf2034855c04ce01083fda676dc53abd2
SHA512e2e6703b65944c17bcde304af1faaf66041b1ca8bcc26294cf61a4997dedb48039102d524ca42e4b95fad03c7af215a1d4328b8726853c488fd2d4ec29c2a55e
-
Filesize
203B
MD5a846371aa6e633f259f09df0ba7016f3
SHA1712d4dbec5c3de0e2e073458c1d4fd7a4b78714d
SHA25613e88cb686431fde9d59adc4384a02092cbead45347287ccbe8816a89e03f92d
SHA5120b0c621c54c77a4c10df22f2cd46d9a131181138f56547c98a4b512741d429a06c6d146fe9bb98b08f0a99560cc52a38bca8987f6082f1847171c57b8f2bd1b1
-
Filesize
171B
MD50970ab8a23ddc3e6fd06f06057c6dfa9
SHA18888b15c97cd1a8f1feb2e500fce643626e5e999
SHA2567e4d67a586baf87bbd9c9b28bbc33b66089d352e74dd10815ce5ae93f387ce58
SHA5122c3904961f7f53cf5880d488ed3935810ed1bb2787d52cca00e5173fea3bcd365e391dbdfcf59da83e14e05eef818ec0f0752ed598b2278470994a22161f587d
-
Filesize
2.6MB
MD5d8da0fe40a4217a5ec4716640a5eca42
SHA15b61dee820bae506802eae6bf7a8ecc8c1f6f35b
SHA2563c395effe00497436da699c37517fe36dd486a1714f0c1b5882b8b20eceec568
SHA512331d16ef50a3ea01ae9f7a4b7e6b5217a7c460151fccd7c2099eedd613b4d60bbf900cdc4cc30e69acd0c73343a4e2e6cf07e2a9ef55ebcabe4820a94bb50ca0