Analysis
-
max time kernel
119s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
Resource
win10v2004-20241007-en
General
-
Target
7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
-
Size
2.6MB
-
MD5
ed3cb1d16d0b67b5b30f72731d353745
-
SHA1
d27e62b376ac0bd8d24587fd40ffb2d0c7a25034
-
SHA256
092d2e1ad6c85ba0bbfc8a65245cfdb155b91139c6812c5c8f4068ede8401099
-
SHA512
b1ebfb36f3374946b91249de82c0c4d28ef303808e0561748d6af6ce45d0476e05483120921de0fdea667aa7b79ab7575f5a7ea964b592c32344f4e127747cba
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSQ:sxX7QnxrloE5dpUpfbZ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe -
Executes dropped EXE 2 IoCs
pid Process 4724 locaopti.exe 3904 xbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHE\\xbodec.exe" 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGP\\dobxec.exe" 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe 4724 locaopti.exe 4724 locaopti.exe 3904 xbodec.exe 3904 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1088 wrote to memory of 4724 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 86 PID 1088 wrote to memory of 4724 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 86 PID 1088 wrote to memory of 4724 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 86 PID 1088 wrote to memory of 3904 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 87 PID 1088 wrote to memory of 3904 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 87 PID 1088 wrote to memory of 3904 1088 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe"C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
-
C:\IntelprocHE\xbodec.exeC:\IntelprocHE\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b84f035113695ea2e207992d89b43cf7
SHA18eba93937d8a00d1448794663c80b17f4c634054
SHA25675ac8beaa6b7b1c47cbd7a1b55a20d4d8e136019d77f847dda65fc6cd57a1780
SHA512f304aaf77b0e1a3caee32b1e66afb8bf3fa8df93491946500fd1bc8d3b9483e73a8a4dd5f77430892cfa5137c8c1fb6216c5249deea84be404c64ebd617bed4a
-
Filesize
2.6MB
MD5717162a9aef4c2b2f5d4c50a4a4e7109
SHA1b3552f2fb504a87d0ea813c4e20ea81b53dd89e3
SHA25604f911dd7436c73b29fb836913d83cdb526d4e2c37951c5a619a4a48362d5a9f
SHA51285631f9e8ce538e1137126a6c575542d10c71070aa1539a9af6fbffe76c40549c05773c8e235c4cfffb899cc745d73e7f85550bd651d9ddceaf15e91746f8fef
-
Filesize
273KB
MD5edac67541e17327676c69e7ce541e5e5
SHA17489b3893cd631df40fe2c6a3d8b8c059c4daff3
SHA256f41af16280d71e1bdcb9e9bf942b2c0e87f1d6aef62b6e951820870edf1fc04c
SHA5124764a19827f9be3d915eff21e3f27ccdafc1e507d1ef8b277b300aaaf7265fed9ec7724aa9b9f450d914b321f62414d2209fa89f3f62e38f9a0b74c5b07b3536
-
Filesize
203B
MD5e0d7ea5f22cf1fd389d4910d097885dd
SHA1f6101e1cde674f27489aa5bf4c496e23006d149d
SHA25603ed0f64e656f771fface3338dba3219199e2e452ccfaee3dc30d5e15d47deff
SHA512cd4f3a7673a9384e007b52a60283b78e81eb11723c987bd8e7ff0400ff29a4fabbbc107fe6c206070ef6cafaaf7fba3b33102bb00d1be7e35639ad2873382118
-
Filesize
171B
MD55bdf40578ca4f1f868fcae0a48638d7e
SHA1ac3f78f2c07b10d9e1a8a619160a9c1f4a1d1394
SHA256455b914a8eb7447c285fc0e3af2b1f0b383c29c5bf5e561a625bcb3ee7bdb7fa
SHA51208b4b00924f85e3baee9eb90d0777b48328f3f4b401617440865ba2b9aa5d3f76b3434ae8d06d573ce17a153a78cba3c9139a3e3fe809c4892c0d0e53c879026
-
Filesize
2.6MB
MD5caca2d350e70397bad58b798f81cb241
SHA173d425f110de969682b08d7c423529f6cdff4e6c
SHA25625927850d97a040e9aa4eba92daab82512d4562af360458c9d7c4241d62e09a3
SHA512ac5bb5ede487e12ee2c64e20f467f98a913b879ec4ae76dffb395bac90bb3f285ebc3ce26edd884486d35ed407856a2717da5a172a5303b76361849bbeac134b