Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe
Resource
win10v2004-20241007-en
General
-
Target
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe
-
Size
2.6MB
-
MD5
dbc6434b88a8b9017cbc55b7b680ef0a
-
SHA1
52ccdd946bd863524595743beccdfed48e23ae7b
-
SHA256
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a
-
SHA512
abe0d9e057fb415fb91c2006878b2ffba5ebc63ea0d192beaab5b7b03c2079e69564c000d34c25a2e8fee3fb5fee16bf2992523aae8f570f1ab8eedb662ea8cc
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUp3b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe -
Executes dropped EXE 2 IoCs
pid Process 2532 locxopti.exe 2544 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv03\\adobloc.exe" 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBW\\optialoc.exe" 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe 2532 locxopti.exe 2544 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2532 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 30 PID 2172 wrote to memory of 2532 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 30 PID 2172 wrote to memory of 2532 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 30 PID 2172 wrote to memory of 2532 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 30 PID 2172 wrote to memory of 2544 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 31 PID 2172 wrote to memory of 2544 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 31 PID 2172 wrote to memory of 2544 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 31 PID 2172 wrote to memory of 2544 2172 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe"C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2532
-
-
C:\SysDrv03\adobloc.exeC:\SysDrv03\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5640f7b2ac26336229373f2ecd8f1e3a8
SHA18cfce73dd133747809bae24c696a802d971ad6df
SHA25666baea018715e78994053487d660febeba43540f4d76ae24735f7587954117d3
SHA512ef4e20d859152927a79e4664f7e94555cb4816cfc7746d897db81ec06b07015e8e8d2d096446d27e9cdc3935f8a9e520a00b2f9582f31ffd83a9c36f0ca33267
-
Filesize
2.6MB
MD5f99024660825aaabf4de1c919c611cbd
SHA1d08e12c41644b483b306da98d42470b83e597c80
SHA25617b4e470a0683491103148da3990c845fc8b375c9563fd69004b9ac5eb421493
SHA5120bfc8e55a70b993d21b8909a788fed7bf0d5fcd88661c66ded8b3705afcb40441dc0255b181dba3e8c0db57ca7669d54598477733c4d1ce2429d2f3309b85c88
-
Filesize
6KB
MD50860ba7ab87e6dbf893e728aa4621778
SHA16296ec6dd59bc3b8a68b647437f788d3632c62db
SHA256dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2
SHA5126b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef
-
Filesize
2.6MB
MD56235a45acb96499db77bd66e914d1273
SHA1e2a28dc9732eb9c2ecf801c3e85cb4ef7843616e
SHA256feceeaf26ea2c27eb2db14ea83a9fedb75d2b217aa4307a205f70313de2c9558
SHA512a55a64c0faefaf80cfab5912d97fdfa165575ee9a6bbfb650175e8ef2281d825d70933c2953124d76cfe4b3da5bb44d1a4436628ecf0f1d122013dce97553c20
-
Filesize
171B
MD53abf40bde1030fa4d785a187052dce5b
SHA1f13c8494c0ca25d6c81e5cbb3240d70187ac5606
SHA25651787751699452e4d2024b638327c945c7554177ab5b8e944d3828fcacb57bcd
SHA512fa46149d8de21467f1ece209e54659b7081139b70bb0df2c2a9caa094c62493ac4eddffa3980895f4181d979a015d5294f85e139f52869e5209a06bd7509f5e7
-
Filesize
203B
MD5c24c5ed629617b315229b8950be5531b
SHA13d30fc02eef87c46cf38e8fa90bbfccf1325fc56
SHA2560960972f1bd3c9e3bcf8099f4ba7ac0a600039754a1475e59b5fc00a88c02cde
SHA51217dc3fe14e7d13eb3d1572e498fb22afb763cd173ebfdb3aa3f40edd0cc712dc2ab375a0c52da673b700055ae72ba5418988f124f51d8a27fea955c61cb4c1c0
-
Filesize
2.6MB
MD5356daadd11b214d1b22f9405c9849caf
SHA1e8871a9e54199c3524ac27008c51af2f285a59a4
SHA256cba3bb5c58ab0cf959fc144c82ea81a091875a7fcfa6766701d8aa13d8e22ca8
SHA51290e805ef9df7d56ab43251562d5c7806eff8963f4f7daa378e3beb6fa54b3770918ff1eeb5b01b0bb4f0fd37cf972a58552d6ec9c06be5ec5c581869ce0f1eb3