Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:22
Static task
static1
Behavioral task
behavioral1
Sample
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
Resource
win10v2004-20241007-en
General
-
Target
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
-
Size
2.6MB
-
MD5
421c7abb8fe0f0daaab456397d9a8530
-
SHA1
494882bea05d1d21899a66c47c579e63c0bf6fe9
-
SHA256
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331
-
SHA512
cd7571f3063d4f93bb0c83da40e746d16d260b4b20a1378d23b24bbfe82cc9ef2caf2c16f4e0f6a4ca892ce62d71602b08396b722b5e4d484d8b2c6982df4fa0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSq:sxX7QnxrloE5dpUp0bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe -
Executes dropped EXE 2 IoCs
pid Process 664 locxopti.exe 2080 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1J\\xoptisys.exe" ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ45\\dobdevsys.exe" ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe 664 locxopti.exe 664 locxopti.exe 2080 xoptisys.exe 2080 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3092 wrote to memory of 664 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 89 PID 3092 wrote to memory of 664 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 89 PID 3092 wrote to memory of 664 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 89 PID 3092 wrote to memory of 2080 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 90 PID 3092 wrote to memory of 2080 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 90 PID 3092 wrote to memory of 2080 3092 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe"C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:664
-
-
C:\Files1J\xoptisys.exeC:\Files1J\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5eca5ea25f6a32a95c09d2d11f140c43b
SHA1fc7c4ffc46b345747cc079073a62c80c129f2442
SHA2567d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17
SHA51227d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61
-
Filesize
2.6MB
MD58839c5ebad72a548b63c216f9a0a7866
SHA1553ac8a0f653d43563bef4ca4d614341ace54659
SHA256cc64494d6c698ef37df4dcf77fcc72ffd5f11539d3b10cf3e17653b59d384561
SHA5123d131492b919a98b6e663f7c94270dbbcd05eceb705229bad26487d1253624dfe3d320be3fbed5546dd3f26e561da1f51d8b338ca4409562abe0b83ec509d892
-
Filesize
2.6MB
MD5b852f911c29e5fb4b64d7e631de662a4
SHA174f74ea12475b1e1c11ea996c2248920bd01133a
SHA256b07458d6bba981daf35b7dfd19ce730cd999755457f340f263e95b32718fd9df
SHA5126837804c20eb4aca1bac2b378a81a44e4b9fcb7f8736fcb10176c5a7c461a7374264f7b3e9590ed7811fab8a66667744719c4548acbe94e0297b0751dfd6c980
-
Filesize
12KB
MD563a0ef76826092fea4e01baf01c034cd
SHA17928773c93e5415d90fd843aab4e88e2aac63b3e
SHA256352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a
SHA512b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c
-
Filesize
204B
MD59623edc11a67c4d60781f907a3bdf39f
SHA18fadc3a92a44b8086c3f7929072389f3d19ed135
SHA256237190de3e4706378702eeedb1dc8c6bb832f6474607c18f46d0cf0e9f20e91f
SHA512e9bb2fd8a953311405bdb12984365f6dbb1e135bd4f2e17a518b8f434ab0e0283b9a59b98c20b75b73fa682a93496109702033ea66a8ee663dfa84f1a9a70128
-
Filesize
172B
MD5ad0fce00d09c0d51defdbe8f2b1fb857
SHA11bce93f218b383f6b55ee72bb0f2b89ea2556a86
SHA2561ef3497d67349180f60104969cd4cd75fe4e80ce502c4f0cf479c9adbb345db0
SHA5122f21ddb0a27601a04b821e4c959c87bed8e8eaaab79a33ad463babcae8704e5b005713528df2edf773f071eec446322ca460d64710ffdd3bccb2a8d7fd08643a
-
Filesize
2.6MB
MD5b938d0099c2a961641242cf99aac9610
SHA10138825a28b45515b7b59501bdcf7184ae94b866
SHA256d52942c03bee16dd90507955085a71cb2a1dedcc4525a0263454447df871a73c
SHA5120dc77a05c94fc7d1b120ae68b6966dc21df0c12cc0ebc3b716322233ddf12a2189161b4de2c4e7406de704145a0dbcce436f61101138d64219a0773a11e100a0