Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:00

General

  • Target

    cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe

  • Size

    2.6MB

  • MD5

    5f84d08fc99bc0b5ff62a54c248de700

  • SHA1

    e1eb147143a95304448cf490a5d6980eda871afa

  • SHA256

    cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0

  • SHA512

    2314dbc7a30079e6d8db93ccbf682e396e6974841b818b0b05f86b248a9c57b071e3cf849698f9df708f4bb0a9f3cc51326ec2eb3d93f512ca69d837626afd47

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSq:sxX7QnxrloE5dpUpwbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4852
    • C:\UserDotII\abodec.exe
      C:\UserDotII\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3256

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBRC\optixloc.exe

          Filesize

          1.2MB

          MD5

          c91d3464c60c5b5148dcb2ebbb8d6c6d

          SHA1

          6dddf2180d4bf983aeed53bdae0739f180728dff

          SHA256

          d58fe3a217f490df0d327e51b9c5df67d288c3221a8775238f9ce2fabfcf462e

          SHA512

          e8639ab7d80347dd238bdf6c4a35af0ae1f7ece2dda2530f1c4352846567ed139e7fc8590fb6c7dc2510e47b98c35eec8d8f77cc9ea90120ead81c0015fb63b7

        • C:\KaVBRC\optixloc.exe

          Filesize

          37KB

          MD5

          9ba1f92f17320406dfe029e73132f1f8

          SHA1

          5178500c26e0bae7a24b5f6089f4efac6bd1c451

          SHA256

          e2bdabf6ea4b10b3bcdc7cc25b9413609a1f9f529940ba94824e408abb581504

          SHA512

          afcb08b444b349ced710fdcf62a34fe5d36f5ae3233e46e7dea8b228f13e34643000d248e3a4eb700d4def94bc096c9aa4988b02398441d2eb578682cd4eb835

        • C:\UserDotII\abodec.exe

          Filesize

          131KB

          MD5

          26991a7323425d01232d37cb094e7466

          SHA1

          c35c3f0cdbda25fd88f1d39dc07c623a9a25394b

          SHA256

          af25ad1f354e0a9b9af9625b0ff62750d55269a382acdc5d0eda0ded96daa83c

          SHA512

          8ddf1b20514ab76b2d74f09497589eb722ddde38c639c31307afec011c53c360debb4f69182f0e0ef72e87c20118afed6e21f2e0ed9da19669ec7663ecf62430

        • C:\UserDotII\abodec.exe

          Filesize

          2.6MB

          MD5

          63a9b7065fe4c6908caf527173847371

          SHA1

          621a851c6f6ded04ae33be11e91c4d767537e32b

          SHA256

          aa2ea1a9379653bafd2d21adb4bb0c73ab5b00c46e7ff9dc46b0c536be5c27b7

          SHA512

          dece9e22c1135bd3fd7b69a541eaa3cb50f9f7aba3a02685afb38f63da5645f96ae5e3149c79571987a27f75fcaf846e859bc6375d97a2b25b511b1714ded50a

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          7b7426f3c1aabc68316b23ae295425af

          SHA1

          b41b91b9cb9cff9a0ed1095236233b232a02eb6a

          SHA256

          c4d534f675928ab244dfa9cd3f8328e8ac1c08cd28216e78106205ba68d915dd

          SHA512

          c21243ce7f22d87279741a25467d09a73eb9fc6e5afe34d0bf78d990b6768f3c53761fe37bac9bb62f6c27fe2166727506be02f7f6e2b46eb9667e5252146316

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          2cb720d83b7252983524eafa54b288b9

          SHA1

          46bdbe4001f39718908b1c0d80bb5924550e4edc

          SHA256

          3b323139fc52500240c6de22c74444facb5c12a01d49622b742d8eb0bdf0e10c

          SHA512

          816dba094e3eb23e130b82b8836481f90abe22d02658616404fe7ecb4556e3f30f2a0afd429d4d18427fdb51a50257858e42bfd5372b8420b071631ec2be685d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

          Filesize

          2.6MB

          MD5

          a94758262f254b2c166cf61d3b980711

          SHA1

          a1f4276fcb5550ecfff04db01656079e4d9326ae

          SHA256

          4cd681872029519e7278099043dbea6fa111c3a66b84cc0718a1301d2a86a44b

          SHA512

          fef4f5fc9b415b4f212078819f573521e384068e57b9e12258d4566606102eb893f91c02a4ac033515ede79c4f457136c2e5c10c3a456a2fab835751f8fe8532