Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:57
Static task
static1
Behavioral task
behavioral1
Sample
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
Resource
win10v2004-20241007-en
General
-
Target
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
-
Size
2.6MB
-
MD5
32d09059b14cc49fe68b1141fee20360
-
SHA1
626d63ca2ce2096c6be7b8f185c5d0522109618a
-
SHA256
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353
-
SHA512
793ac641b029d1050513d84c579b3d61bfeafb69fe34907be709ec5f4d132115cb097d046a96f1e52ac301cee6b2d31be988c25f55fdc88127d06c62e30b1a61
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpKbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe -
Executes dropped EXE 2 IoCs
Processes:
locxbod.exeaoptiloc.exepid Process 3172 locxbod.exe 2472 aoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP0\\aoptiloc.exe" 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCR\\optixloc.exe" 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exelocxbod.exeaoptiloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exelocxbod.exeaoptiloc.exepid Process 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe 3172 locxbod.exe 3172 locxbod.exe 2472 aoptiloc.exe 2472 aoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exedescription pid Process procid_target PID 720 wrote to memory of 3172 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 86 PID 720 wrote to memory of 3172 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 86 PID 720 wrote to memory of 3172 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 86 PID 720 wrote to memory of 2472 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 87 PID 720 wrote to memory of 2472 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 87 PID 720 wrote to memory of 2472 720 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe"C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3172
-
-
C:\FilesP0\aoptiloc.exeC:\FilesP0\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5105376f95e3a7fc442938397d2600fce
SHA11efa3ca9787c87edd678830dfb30225a07601654
SHA2565b21dc91d07193582beb446c88fd26a6e520d88e6f1fddb2cecf3a20bf0bff7f
SHA51293108f58d0678fc62abc87e7593edf5ffbf9a12859c83c872457f06cbaf1f191d5d3e8249450854229b875ea9b5a157503aaf158911a4ed9de415188ea0c779f
-
Filesize
2.6MB
MD5820ca0c38cb9749b1df9ddceb26e207d
SHA120dc3de64d15df1a2dbb04e7428a1f2b6771ba7c
SHA256d0abcb2a8ed39a19cf25c63fc9b4fdbe3866bfe364feb33a8ea359cad0403dd8
SHA512c4552c12873a55622b0e39d8d69ef91ac7772b2209d5083c06a51ce9adbde60bcdb4ae1ff8fc0124b793748d1a83fd32c96ba3d6ae3c8d821081c665abe22ec4
-
Filesize
2.6MB
MD5b74c4aa52b4bb01bdc7c19d9e37660d9
SHA17328b82067434d1f2d5b46644fa126ef24c170e2
SHA25699cb60ceff99b1e4c55ad76ca84e83d7081e55e5a7db66a277b44d0a55ee07ef
SHA512bbf0d156f7ff9aa41ca9c7aeefe824b3698d8388af787defda348fcf5ecf21f737bdd21b6f7626428b98ffd43caacc90678ee7163887224fffd690a021c70bf6
-
Filesize
202B
MD5ad4a9e145d45266ae956d1a69fc05a9b
SHA1f48b0651770597447a76bf5238fc6fbf88026213
SHA256a1bd68dc2876026459d343dc6e673fede62204e56ec1b22c3331ba68afd1fc30
SHA512eecf1563a2bedd952ff6d61c09c5e5a96728772fdbe1e8c32b1f12e4ed0f3341e2b29d123d87630388dfbff68df0baf9630d9941f48a5c6789f51515250f690c
-
Filesize
170B
MD534d3fe86bf098731ff51cd2b420bbdaa
SHA155f1418d0ff7f6b71ab19eaa0a8722456a6fda60
SHA256962642b00047fcb93a21f5d6f153388d2c81271dc0cb61eb45f4fe3c01fc95e4
SHA512c7f06a8a963f8df32fadebb3414e8983e42915ca65c81b7467da7f2d6bfc9188111f40a47d0e0e62c2b80b74f66a5afe0cdc0c1d8bb44d8fd997e08088c9de60
-
Filesize
2.6MB
MD51858afaf2bc7659da41969f5772091d8
SHA185b63e2cec40a4b4af5a1a64419af85f2d78bdec
SHA25606dd07a6b87b810089ce39dee9154dbace2eca05473075913d1e1c9910eaff9a
SHA512182235a91b2202ff3a7918eae3f16046ac8c31ccac312d10cdc99bc25851ffc7a5f6987afc58e0aaa36c0b543306a72543547c5766e031af2b41ee4a9e2cb681