Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
Resource
win10v2004-20241007-en
General
-
Target
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
-
Size
2.6MB
-
MD5
b02acf8834d13c489e9d68c88e408a00
-
SHA1
1138f824f9ea808c7c7456c09168672f04a6a07a
-
SHA256
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59
-
SHA512
6dd195588b647e254b454d6017c20c22177e912fbe7280fd0638dac9496ecbe323c90b64577f1879634d1ae75493326636a2ddd74f33dd6a00a1e22d6e56bb89
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpDb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe -
Executes dropped EXE 2 IoCs
pid Process 2524 locxdob.exe 4764 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOA\\optiaec.exe" f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY1\\aoptiec.exe" f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe 2524 locxdob.exe 2524 locxdob.exe 4764 aoptiec.exe 4764 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4824 wrote to memory of 2524 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 87 PID 4824 wrote to memory of 2524 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 87 PID 4824 wrote to memory of 2524 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 87 PID 4824 wrote to memory of 4764 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 90 PID 4824 wrote to memory of 4764 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 90 PID 4824 wrote to memory of 4764 4824 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe"C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
-
C:\SysDrvY1\aoptiec.exeC:\SysDrvY1\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD57194af4ca8b5784e038c373119d798e5
SHA19c114add88126c1358d7020ca7697c5b0528ea2d
SHA256f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050
SHA512dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992
-
Filesize
2.6MB
MD5f1532f6d4577f6c53a5b165b06d12fbe
SHA1f3c0c35d06ed9298996e1b5fb93d43354c4eaac5
SHA2564e1e07606d8cb72bb98ed4392c64962ac7fa5f0e029d7daf06a60a7b44d8fdb3
SHA51210934786bb2fb62e6c0c40a4b81f18acd3d993fae996b7a3f2a67ac108971e6e288d47e4146e8baecdb87e7a9be5275022879d44403e750d83abe02c73d85043
-
Filesize
15KB
MD5baebd565738a73b1785d23f85b9b1880
SHA13e776227196d9cbee3a9edf120876f20e6af105e
SHA256d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7
SHA5123bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0
-
Filesize
2.6MB
MD563500340a71f9a11b60ec273155857aa
SHA1c10f4d8b64900a0a3c1513a0d704eca7dca02ccb
SHA256384150a36cd9cdae9137632bd6df57ee2933342a01746e2f51b45c165586be62
SHA512442a22fca97b7a23364bb31d68cd14b1169ad42e24d5f9e5eae933fc1584206b7772089f2adc8acd0dac30e4813cae8356188e3094ab6d86d324a5834a7b3720
-
Filesize
201B
MD5d259cd59da211a5963f7c7745cb9033e
SHA17fdb1c2fa136356e711bff75cf69608592c28474
SHA256fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0
SHA512f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51
-
Filesize
169B
MD5395aed0919abbcedad21936d19aacc03
SHA177d75bdf52c71dba2c6c5bb4cefff4a8e1995915
SHA256a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30
SHA512f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af
-
Filesize
2.6MB
MD5b0db2fc4c001e1678b8463652484550e
SHA1327afef2fe550e9ce3109d435614e65c4c03c932
SHA2560543244fabbd49892985f4b4a84b8e767a2605fb057cc9544959ba25ca61ad75
SHA512d6efc49f9e417fb829705cba251062679ed2bf7b049dfc642c42f3562e6361f61bf94354f2dad43ded771bf3f4677a5e50ed1077186a6399748bdb4b486b07f9