Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe
Resource
win10v2004-20241007-en
General
-
Target
7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe
-
Size
2.6MB
-
MD5
3d9a5f944c590f6857ce536f40489f60
-
SHA1
f5075b9092f36a62cca582b47e454cc13874aee5
-
SHA256
7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428
-
SHA512
3aa09ff9bfd1922f0fe807cbdb78499248127cdfb58d40c4e08ab449be0e04efd100e59dd1fdad328dc573cd8d2023ae2ba9da0399a52830544b8cd7d8ed9b96
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe -
Executes dropped EXE 2 IoCs
pid Process 3128 locxbod.exe 2480 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQB\\bodaec.exe" 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9H\\xoptiloc.exe" 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe 3128 locxbod.exe 3128 locxbod.exe 2480 xoptiloc.exe 2480 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 932 wrote to memory of 3128 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 87 PID 932 wrote to memory of 3128 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 87 PID 932 wrote to memory of 3128 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 87 PID 932 wrote to memory of 2480 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 88 PID 932 wrote to memory of 2480 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 88 PID 932 wrote to memory of 2480 932 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe"C:\Users\Admin\AppData\Local\Temp\7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3128
-
-
C:\UserDot9H\xoptiloc.exeC:\UserDot9H\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD59262cab29eba6c8ec58cf55dd510774f
SHA19c109088d1dc40745dede1654950cf3c14a07d0e
SHA256e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945
SHA5122241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004
-
Filesize
2.6MB
MD55bfe2b9716e543bdee47798a769839d9
SHA1878191dedcf35a996a83e354a56493f6cff7fb4e
SHA2562ea00a57dfcae75cc4deffe5f42850f1bd1b1e66f0892fc16209350bb2e9f0f7
SHA512305f3dc3d78edde1d50e68bfb5e21db1185e8bd389bfe9eb8e12ee504a37e2fb0e7e8ab49bc0508b46bc99fb39eb935c7657e2f0bc40ec948fbf615710b1adf8
-
Filesize
2.6MB
MD50c4b64916ce69274cd527b0d002b7707
SHA1ea6b0407f91b82ede18461fa99eb642858c43790
SHA2569a0f7478beed5f7620257d4841ebaafde05a19e50c3d10210a0c1631c440f1c2
SHA5120a3e60dc5248820ff5150e0586f42eca114f5b7883c62d2d66d03739f64840f7ee0ee4f660a2863eece28a2d33dc33e29590bbac5bb87e03071a09b124b2ba6a
-
Filesize
203B
MD5dd1fd974b41154cb91d0260ba3e360ef
SHA131fc359c579d0f739a178df033518024ba675408
SHA2562f6eba9b56b38b4ad77fe834b30a752ab713eb73653734507316eabbab43bf44
SHA512f44cf06b919deea05231f0ea9452197dc5a5a8f5deb3c0936e63285651b48c5d396ff2d9f8fa21d697cdf46f42e26dbec8440dc89eb58d5484d0ddda670f1109
-
Filesize
171B
MD5dd6106f606da4c6b5aaa5beffb133726
SHA1c400572c25c31291961f9e4ba18c412387a6bb3d
SHA25692a7bf867707934677957a2bc5052707986c7bc88fd17f3fd013d26659035c32
SHA5123048c1208e9215950469e5fc01d2c4062c3a299ecfaea506b583013f9b8c88f4df4fce68f4175077f6330747221f1e18f239ed6ac197336cbb7ea94e72cfb8a2
-
Filesize
2.6MB
MD571ef51d55e463bbc9f6764289ea08023
SHA16378a168c433cd13b5acfe122070e76a9e20de0a
SHA256c8adbb95dfb10aa5057961889237bd10fd939f25e4cbbe3d4489b92c3e219152
SHA512180aed5e0ef98c1312a2c179da9852d6e3c090d7f9fb93ea94dc2d71d2e6a79a96b4a48da709554b43b722737c8b0fe98254c6b363bd5bb7af8df1f9cfcf6c60