Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
Resource
win10v2004-20241007-en
General
-
Target
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
-
Size
2.6MB
-
MD5
5f84d08fc99bc0b5ff62a54c248de700
-
SHA1
e1eb147143a95304448cf490a5d6980eda871afa
-
SHA256
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0
-
SHA512
2314dbc7a30079e6d8db93ccbf682e396e6974841b818b0b05f86b248a9c57b071e3cf849698f9df708f4bb0a9f3cc51326ec2eb3d93f512ca69d837626afd47
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSq:sxX7QnxrloE5dpUpwbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe -
Executes dropped EXE 2 IoCs
pid Process 1732 locxopti.exe 2076 xoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe54\\xoptisys.exe" cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKQ\\boddevloc.exe" cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe 1732 locxopti.exe 2076 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3048 wrote to memory of 1732 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 30 PID 3048 wrote to memory of 1732 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 30 PID 3048 wrote to memory of 1732 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 30 PID 3048 wrote to memory of 1732 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 30 PID 3048 wrote to memory of 2076 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 31 PID 3048 wrote to memory of 2076 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 31 PID 3048 wrote to memory of 2076 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 31 PID 3048 wrote to memory of 2076 3048 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe"C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1732
-
-
C:\Adobe54\xoptisys.exeC:\Adobe54\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD566b2c97acd514c9ff7fd58c10b3776a0
SHA12d3b64f758b7ac257494cce19960db126af0b10b
SHA25608970944b765491fc2bb5535ddc685511d25102be716eb817f3028d011088e0f
SHA5127e6dfc7a9c7cc7f190c257f5dfe3132d1b59f7f22e893ed320d8aa2c1c8d9f48b5287bdbe3dce79dbac68eccac2ac2522c07fd0e1c38a33764a34acb8c412ba0
-
Filesize
2.2MB
MD500e3954edc8373bd9c2475d2a65ce9d0
SHA1983cb672d389ea2a2f32c034361908b12f1328a7
SHA2568e2e9ff943889915fedeb41125228978d16698f4b7d4ceaa196c98a95b3ab84c
SHA5128f59882095832f7465cfae7637068414ccb28d4a0e77e6747b1f756626abc9e7f6ec8cf12d3c2cac9ab393d8094d2463eee33643b70945db88ad0783faadb56f
-
Filesize
2.6MB
MD59d25afffe9d1b54be65f222d3cc35dd6
SHA1def370ca79668a44efdd2f4dc1c601cbeceeeaf7
SHA25680fb8fbf44553097974b204b6b9d4414b482e0e37a6764057a191110b231abef
SHA51236c1dfeabb4a7f7b400fa756ccb1fe33d856029da7168c049a70856c00e1e07304b8e1189e812c468513b3bd22ab32af8ae720b9ea4bec40258a1b90764219dc
-
Filesize
172B
MD5654fd11b063ee3e36b4fdd3ce222226e
SHA1343a73b926f898883b99ee3ef608f4237082b3a8
SHA256f09b0ebbf693eddf52ffe937b8813abc2d558966df564f6d7c7ceaa5b7bc70c3
SHA5121da15bac57d2187d99e8dcaa1c4082efedb4f251c38ce566b6e2afd69370bd696300f55eb46683240dbaf15e577e8a0aa3e0562c9a42cdf08f334102c19fdf47
-
Filesize
204B
MD5e7842e162ed23e7597d726eebe2d10bd
SHA1019c7ea08d61232d99c1f668159e1085c1474246
SHA2568e0b78e262f5cc8160ff5c42ba2ecabfa2bd30d132dabf10a230c1297b6fd188
SHA5128f67fb3ce3acbb21f7c3e73a29812050884e4cb1f9a44b92fa578ff8cfb544ddd296a6a4e47195612b3b4a79eff44c9a743eca9c4ec04c269643764f121bd3f7
-
Filesize
2.6MB
MD5b0574acf458f8cc31c5ff8353d7d3f11
SHA1c8fab530b43e63d3a2bd83f0947ba7a5b78e4e57
SHA256663e1acbbd944683192bc8ff36566ef0e2b956898db4866dec52c65e37c3d0a7
SHA5122f917a1ef7c80b5855c4cddd0f1f76d354924421043e7ac62a0718a3f6f9fbb1f8800283e4895ae87f12600b499f20be292ad0f47965993ef115a35c0f419d83