Analysis

  • max time kernel
    120s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:47

General

  • Target

    f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe

  • Size

    2.6MB

  • MD5

    c20eb780ca20b75ce386c46ea78e38e0

  • SHA1

    376d78028196c0485c3d223f7967e117c547d644

  • SHA256

    f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849

  • SHA512

    feb5c611271f8f662cb6fff376d9611b7fe4fc1e55446f42f2b205880d3a4eff57c7afdbb0138a23925682c3352591f11a14875a2990a409a46cc78e73694a57

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpLb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
    "C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4464
    • C:\FilesR3\xoptiloc.exe
      C:\FilesR3\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4988

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesR3\xoptiloc.exe

          Filesize

          2.6MB

          MD5

          135c06a43ae043b4e36009861464369f

          SHA1

          663adcce5f6a5a66145d37c43e956618b433f6cd

          SHA256

          320bd759a59028a8100c5c7c875d96c53f7ab7d1e30cfc96ce4b867db3b68c3c

          SHA512

          c91f57095775fd6f033bf0d1fc3ddadbe800932f8451d9fdf7bd25dd45afc3e2512a6002e1136155b3fb17c838a031c85fcc687a6044b274f9062281c5fc9422

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          4a5b362dd82ef873942d5aee8c5caea6

          SHA1

          e7dbf040b93fab5916aeec0ee4c64b40d72958b9

          SHA256

          925dd931721c6c457303638389d2ac7baac9d8ae8ac137fbd38c7259200c490d

          SHA512

          4dfee0637832e32ef8dd87f81f401d580781fc382c03cbfb1b47745138648564cf869ce5db2238f9fbfdf3ccba9201e3b3150064971fff65aafe3a0b83a31c79

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          c23d1d86c248b156c55e54b4a49c6542

          SHA1

          2d451ba9173c1f14512a11a8394f5f6e51227b7e

          SHA256

          e81a48de77590d17a5947d010ecc8c620f5fad1f67cd108c4b6ee70a9e1dfba3

          SHA512

          ac29886624b6603dd91035533a4e89c71cb5d53f8f9c1401556c8deb6e4c9bb4320678d2e7011013c1fc312a8bcc177cbd01d287f79ba2c8019f85f32388baf6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

          Filesize

          2.6MB

          MD5

          c4dd7d9e2e77c86aec44393027e7763d

          SHA1

          7be85b2e0f339a67383416212fd45ffcfa665261

          SHA256

          f17121a42c1eaf885ee05f2555f6645279a88a0413951f63f169ab147f3b134f

          SHA512

          26a5309b5751ef1a3a40f9bc7d18c039aa7652b33eda87ac77eb509ce424041d34eba6330754f6a4b807c38a740833d55a664f395017b7b4c04d9c60a6e1eb0f

        • C:\Vid0G\dobdevec.exe

          Filesize

          2.6MB

          MD5

          04dd6b3f7b6c3bb0bd5e301ef99258e8

          SHA1

          a979f93350a1697ce58e3a8c7dd322ba6c5f67bb

          SHA256

          8f3fcb958a21bf06df579b6714c939b8b8d52899d760e7cd51e10754f978f0bf

          SHA512

          7ef6a88713f331209578ed0ae1e61b66e18804f943fee739128c75d59baeb0610c58c5b83900e0e6c5cfd1bf2bb54822adcac705a0fb6687713ff229347e52e4

        • C:\Vid0G\dobdevec.exe

          Filesize

          2.4MB

          MD5

          7ca3ef0b2b4dbe90dfa44a677309618b

          SHA1

          ac8272618538c1d47ccb5683d60a0f510480dfc5

          SHA256

          20097c9e7c1537a2009c39c3a18f2bae4ad0126f48d3c4680d2a5cdf32e347b6

          SHA512

          145c1ef7af33025d22f95aae631a8474e56639b1ea4626f6fee68667e8ef648684dfc010561063e9b1d4c760b72474e258baafcedce99cb9c1a2e4ab7a8b69bf