Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:57

General

  • Target

    943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe

  • Size

    2.6MB

  • MD5

    32d09059b14cc49fe68b1141fee20360

  • SHA1

    626d63ca2ce2096c6be7b8f185c5d0522109618a

  • SHA256

    943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353

  • SHA512

    793ac641b029d1050513d84c579b3d61bfeafb69fe34907be709ec5f4d132115cb097d046a96f1e52ac301cee6b2d31be988c25f55fdc88127d06c62e30b1a61

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpKbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
    "C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3172
    • C:\FilesP0\aoptiloc.exe
      C:\FilesP0\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesP0\aoptiloc.exe

    Filesize

    2.6MB

    MD5

    105376f95e3a7fc442938397d2600fce

    SHA1

    1efa3ca9787c87edd678830dfb30225a07601654

    SHA256

    5b21dc91d07193582beb446c88fd26a6e520d88e6f1fddb2cecf3a20bf0bff7f

    SHA512

    93108f58d0678fc62abc87e7593edf5ffbf9a12859c83c872457f06cbaf1f191d5d3e8249450854229b875ea9b5a157503aaf158911a4ed9de415188ea0c779f

  • C:\MintCR\optixloc.exe

    Filesize

    2.6MB

    MD5

    820ca0c38cb9749b1df9ddceb26e207d

    SHA1

    20dc3de64d15df1a2dbb04e7428a1f2b6771ba7c

    SHA256

    d0abcb2a8ed39a19cf25c63fc9b4fdbe3866bfe364feb33a8ea359cad0403dd8

    SHA512

    c4552c12873a55622b0e39d8d69ef91ac7772b2209d5083c06a51ce9adbde60bcdb4ae1ff8fc0124b793748d1a83fd32c96ba3d6ae3c8d821081c665abe22ec4

  • C:\MintCR\optixloc.exe

    Filesize

    2.6MB

    MD5

    b74c4aa52b4bb01bdc7c19d9e37660d9

    SHA1

    7328b82067434d1f2d5b46644fa126ef24c170e2

    SHA256

    99cb60ceff99b1e4c55ad76ca84e83d7081e55e5a7db66a277b44d0a55ee07ef

    SHA512

    bbf0d156f7ff9aa41ca9c7aeefe824b3698d8388af787defda348fcf5ecf21f737bdd21b6f7626428b98ffd43caacc90678ee7163887224fffd690a021c70bf6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    ad4a9e145d45266ae956d1a69fc05a9b

    SHA1

    f48b0651770597447a76bf5238fc6fbf88026213

    SHA256

    a1bd68dc2876026459d343dc6e673fede62204e56ec1b22c3331ba68afd1fc30

    SHA512

    eecf1563a2bedd952ff6d61c09c5e5a96728772fdbe1e8c32b1f12e4ed0f3341e2b29d123d87630388dfbff68df0baf9630d9941f48a5c6789f51515250f690c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    34d3fe86bf098731ff51cd2b420bbdaa

    SHA1

    55f1418d0ff7f6b71ab19eaa0a8722456a6fda60

    SHA256

    962642b00047fcb93a21f5d6f153388d2c81271dc0cb61eb45f4fe3c01fc95e4

    SHA512

    c7f06a8a963f8df32fadebb3414e8983e42915ca65c81b7467da7f2d6bfc9188111f40a47d0e0e62c2b80b74f66a5afe0cdc0c1d8bb44d8fd997e08088c9de60

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    1858afaf2bc7659da41969f5772091d8

    SHA1

    85b63e2cec40a4b4af5a1a64419af85f2d78bdec

    SHA256

    06dd07a6b87b810089ce39dee9154dbace2eca05473075913d1e1c9910eaff9a

    SHA512

    182235a91b2202ff3a7918eae3f16046ac8c31ccac312d10cdc99bc25851ffc7a5f6987afc58e0aaa36c0b543306a72543547c5766e031af2b41ee4a9e2cb681