Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:00

General

  • Target

    cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe

  • Size

    2.6MB

  • MD5

    5f84d08fc99bc0b5ff62a54c248de700

  • SHA1

    e1eb147143a95304448cf490a5d6980eda871afa

  • SHA256

    cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0

  • SHA512

    2314dbc7a30079e6d8db93ccbf682e396e6974841b818b0b05f86b248a9c57b071e3cf849698f9df708f4bb0a9f3cc51326ec2eb3d93f512ca69d837626afd47

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSq:sxX7QnxrloE5dpUpwbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1732
    • C:\Adobe54\xoptisys.exe
      C:\Adobe54\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2076

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe54\xoptisys.exe

          Filesize

          2.6MB

          MD5

          66b2c97acd514c9ff7fd58c10b3776a0

          SHA1

          2d3b64f758b7ac257494cce19960db126af0b10b

          SHA256

          08970944b765491fc2bb5535ddc685511d25102be716eb817f3028d011088e0f

          SHA512

          7e6dfc7a9c7cc7f190c257f5dfe3132d1b59f7f22e893ed320d8aa2c1c8d9f48b5287bdbe3dce79dbac68eccac2ac2522c07fd0e1c38a33764a34acb8c412ba0

        • C:\MintKQ\boddevloc.exe

          Filesize

          2.2MB

          MD5

          00e3954edc8373bd9c2475d2a65ce9d0

          SHA1

          983cb672d389ea2a2f32c034361908b12f1328a7

          SHA256

          8e2e9ff943889915fedeb41125228978d16698f4b7d4ceaa196c98a95b3ab84c

          SHA512

          8f59882095832f7465cfae7637068414ccb28d4a0e77e6747b1f756626abc9e7f6ec8cf12d3c2cac9ab393d8094d2463eee33643b70945db88ad0783faadb56f

        • C:\MintKQ\boddevloc.exe

          Filesize

          2.6MB

          MD5

          9d25afffe9d1b54be65f222d3cc35dd6

          SHA1

          def370ca79668a44efdd2f4dc1c601cbeceeeaf7

          SHA256

          80fb8fbf44553097974b204b6b9d4414b482e0e37a6764057a191110b231abef

          SHA512

          36c1dfeabb4a7f7b400fa756ccb1fe33d856029da7168c049a70856c00e1e07304b8e1189e812c468513b3bd22ab32af8ae720b9ea4bec40258a1b90764219dc

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          654fd11b063ee3e36b4fdd3ce222226e

          SHA1

          343a73b926f898883b99ee3ef608f4237082b3a8

          SHA256

          f09b0ebbf693eddf52ffe937b8813abc2d558966df564f6d7c7ceaa5b7bc70c3

          SHA512

          1da15bac57d2187d99e8dcaa1c4082efedb4f251c38ce566b6e2afd69370bd696300f55eb46683240dbaf15e577e8a0aa3e0562c9a42cdf08f334102c19fdf47

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          e7842e162ed23e7597d726eebe2d10bd

          SHA1

          019c7ea08d61232d99c1f668159e1085c1474246

          SHA256

          8e0b78e262f5cc8160ff5c42ba2ecabfa2bd30d132dabf10a230c1297b6fd188

          SHA512

          8f67fb3ce3acbb21f7c3e73a29812050884e4cb1f9a44b92fa578ff8cfb544ddd296a6a4e47195612b3b4a79eff44c9a743eca9c4ec04c269643764f121bd3f7

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          2.6MB

          MD5

          b0574acf458f8cc31c5ff8353d7d3f11

          SHA1

          c8fab530b43e63d3a2bd83f0947ba7a5b78e4e57

          SHA256

          663e1acbbd944683192bc8ff36566ef0e2b956898db4866dec52c65e37c3d0a7

          SHA512

          2f917a1ef7c80b5855c4cddd0f1f76d354924421043e7ac62a0718a3f6f9fbb1f8800283e4895ae87f12600b499f20be292ad0f47965993ef115a35c0f419d83