Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
Resource
win10v2004-20241007-en
General
-
Target
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
-
Size
2.6MB
-
MD5
c44913bc98605c7005cabb1c49c2afef
-
SHA1
1845a2bf8f8c0ecb27ede9b86da76f722aff0c0a
-
SHA256
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb
-
SHA512
d7b4fc2de4384c421a77a08ed0993ec0a92bf0f95e3cba8173a19a6dc532d88a014da88a0d9272df71edb4b18d7736e967b23e88b196520157854509107133e7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSS:sxX7QnxrloE5dpUpEbF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe -
Executes dropped EXE 2 IoCs
pid Process 636 locxopti.exe 1644 xdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8Z\\xdobloc.exe" 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintC9\\optiaec.exe" 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe 636 locxopti.exe 1644 xdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2304 wrote to memory of 636 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 29 PID 2304 wrote to memory of 636 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 29 PID 2304 wrote to memory of 636 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 29 PID 2304 wrote to memory of 636 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 29 PID 2304 wrote to memory of 1644 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 30 PID 2304 wrote to memory of 1644 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 30 PID 2304 wrote to memory of 1644 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 30 PID 2304 wrote to memory of 1644 2304 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe"C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:636
-
-
C:\Files8Z\xdobloc.exeC:\Files8Z\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57d43f4c6ac17e6110a375ef10c19bd89
SHA1b66145642347a0fc80455f8ff7789fed9f1aa6ab
SHA25628512acc40ec707b9e9453045ab30129f4750c5d883e4f5b55f92226c0053a96
SHA512debc314d71c2e079fe7788b180a925d3df6b918103238724de9887eddd2804b48c323687b4d04be77ab160e79ff7ee28fd6ca99ee808b6641b43c8781289c7dc
-
Filesize
2.6MB
MD539386a7259143491034061a35ab7cfbe
SHA1df2df547dd2b47d9e46bd4c833e4c1a5b72fe0d1
SHA256f829b2bc92a312a7cb8fcec19aa816c8a38bc8a3cadfebe3a807684bedbe8ae0
SHA51216154378b6dafe607b388c83f9a7da67a9934843d104f71819eee1bfd71637158c91d784a74ef1c0b1bf16d58e0e6dfd2a8d4993be461c5326fff2da6a89c2e8
-
Filesize
2.6MB
MD57d3def12ea0ddab1ac50ad99f8e6e185
SHA19f5ff8bf65e143ebd9d428c34b83e0cec27582b6
SHA256f113e2e1c9f4b0bb24469c5d7f097f68caf96e3570c23c8b61145936452ee1f4
SHA51291f8afadf7a0d6d4b08b36b9a556725e73584a8412ca6abe9ffccb6232bada5bdbbb8b4c44ca73c9f54c28665ed9452845156fce6c906159cdadf45e4aba7b10
-
Filesize
169B
MD5b8e33e6c879b5d5e92febb8f6b00128c
SHA1d0d5b44d4c446fc55a3660993e75d8d15988e9e6
SHA2567ee4b308759446432708dc2b6d8dd13190003b06e0af11be14e34bf21012f4fa
SHA51225969c911c6643e4d084bc1a4fea1173bfcc61516deaa8a8b8da7fb0c7c207733247564a72faa4fd80b3148046f811ac1101e5b4a50ee7e937d1489e25a6cb91
-
Filesize
201B
MD58cbbde3144487b33c6e81d0067979c61
SHA124a48171f476e10127f4835c94b63a0857474c0c
SHA256bd38c5cdfc7ff6e9ba897064e81a7d53d4d5cf845806e4caefddb98f20dfbe10
SHA512c0d89e9c17ea0be91b721b8c8cceddf749ab09b8f963459a473684c9dcf57fb664701e6ab3ff7e1e1ecc9a7d077efa5f1643838b614f8d61bd9e5ef614e51875
-
Filesize
2.6MB
MD5d7a644a01bc21f13107ee315f1ee3bda
SHA14d7df8e3ad142452dffc98bff7660f252cf240f1
SHA256aa31f98fc7a85bd668f1885057f3f08c73bf477a3098d5c1f47b49297ef12919
SHA512176dabbdfde1d8a882556ae77eddb7f34f16fb4bf1becbd881fa5b36495bef41ec4456624da7b1132459f3f501d2bf768a75395b9eaaccb528c031c03206e534