Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:47
Static task
static1
Behavioral task
behavioral1
Sample
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
Resource
win10v2004-20241007-en
General
-
Target
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
-
Size
2.6MB
-
MD5
c20eb780ca20b75ce386c46ea78e38e0
-
SHA1
376d78028196c0485c3d223f7967e117c547d644
-
SHA256
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849
-
SHA512
feb5c611271f8f662cb6fff376d9611b7fe4fc1e55446f42f2b205880d3a4eff57c7afdbb0138a23925682c3352591f11a14875a2990a409a46cc78e73694a57
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpLb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe -
Executes dropped EXE 2 IoCs
pid Process 4464 locdevbod.exe 4988 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesR3\\xoptiloc.exe" f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0G\\dobdevec.exe" f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe 4464 locdevbod.exe 4464 locdevbod.exe 4988 xoptiloc.exe 4988 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2452 wrote to memory of 4464 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 87 PID 2452 wrote to memory of 4464 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 87 PID 2452 wrote to memory of 4464 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 87 PID 2452 wrote to memory of 4988 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 91 PID 2452 wrote to memory of 4988 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 91 PID 2452 wrote to memory of 4988 2452 f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe"C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4464
-
-
C:\FilesR3\xoptiloc.exeC:\FilesR3\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5135c06a43ae043b4e36009861464369f
SHA1663adcce5f6a5a66145d37c43e956618b433f6cd
SHA256320bd759a59028a8100c5c7c875d96c53f7ab7d1e30cfc96ce4b867db3b68c3c
SHA512c91f57095775fd6f033bf0d1fc3ddadbe800932f8451d9fdf7bd25dd45afc3e2512a6002e1136155b3fb17c838a031c85fcc687a6044b274f9062281c5fc9422
-
Filesize
203B
MD54a5b362dd82ef873942d5aee8c5caea6
SHA1e7dbf040b93fab5916aeec0ee4c64b40d72958b9
SHA256925dd931721c6c457303638389d2ac7baac9d8ae8ac137fbd38c7259200c490d
SHA5124dfee0637832e32ef8dd87f81f401d580781fc382c03cbfb1b47745138648564cf869ce5db2238f9fbfdf3ccba9201e3b3150064971fff65aafe3a0b83a31c79
-
Filesize
171B
MD5c23d1d86c248b156c55e54b4a49c6542
SHA12d451ba9173c1f14512a11a8394f5f6e51227b7e
SHA256e81a48de77590d17a5947d010ecc8c620f5fad1f67cd108c4b6ee70a9e1dfba3
SHA512ac29886624b6603dd91035533a4e89c71cb5d53f8f9c1401556c8deb6e4c9bb4320678d2e7011013c1fc312a8bcc177cbd01d287f79ba2c8019f85f32388baf6
-
Filesize
2.6MB
MD5c4dd7d9e2e77c86aec44393027e7763d
SHA17be85b2e0f339a67383416212fd45ffcfa665261
SHA256f17121a42c1eaf885ee05f2555f6645279a88a0413951f63f169ab147f3b134f
SHA51226a5309b5751ef1a3a40f9bc7d18c039aa7652b33eda87ac77eb509ce424041d34eba6330754f6a4b807c38a740833d55a664f395017b7b4c04d9c60a6e1eb0f
-
Filesize
2.6MB
MD504dd6b3f7b6c3bb0bd5e301ef99258e8
SHA1a979f93350a1697ce58e3a8c7dd322ba6c5f67bb
SHA2568f3fcb958a21bf06df579b6714c939b8b8d52899d760e7cd51e10754f978f0bf
SHA5127ef6a88713f331209578ed0ae1e61b66e18804f943fee739128c75d59baeb0610c58c5b83900e0e6c5cfd1bf2bb54822adcac705a0fb6687713ff229347e52e4
-
Filesize
2.4MB
MD57ca3ef0b2b4dbe90dfa44a677309618b
SHA1ac8272618538c1d47ccb5683d60a0f510480dfc5
SHA25620097c9e7c1537a2009c39c3a18f2bae4ad0126f48d3c4680d2a5cdf32e347b6
SHA512145c1ef7af33025d22f95aae631a8474e56639b1ea4626f6fee68667e8ef648684dfc010561063e9b1d4c760b72474e258baafcedce99cb9c1a2e4ab7a8b69bf