Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
Resource
win10v2004-20241007-en
General
-
Target
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
-
Size
2.6MB
-
MD5
6c649a12d61a5f3889c77d89f4aa7976
-
SHA1
7dff6159d926f37bd63ff8628c26e682bfef485f
-
SHA256
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699
-
SHA512
2de6e0dd6219de9ddcdb94ec539519aac987298784f49ab958bc1119ed91f4cef3e23c49ba911335d3a794f44391ed382cbd14dc19148465a976a0236e31db40
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqt:sxX7QnxrloE5dpUpebVt
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevdob.exexoptisys.exepid Process 3332 locdevdob.exe 2924 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot23\\xoptisys.exe" acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVB\\optixec.exe" acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exelocdevdob.exexoptisys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exelocdevdob.exexoptisys.exepid Process 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2924 xoptisys.exe 2924 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exedescription pid Process procid_target PID 3892 wrote to memory of 3332 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 86 PID 3892 wrote to memory of 3332 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 86 PID 3892 wrote to memory of 3332 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 86 PID 3892 wrote to memory of 2924 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 87 PID 3892 wrote to memory of 2924 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 87 PID 3892 wrote to memory of 2924 3892 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe"C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3332
-
-
C:\UserDot23\xoptisys.exeC:\UserDot23\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59b788d88074071a373372ff5c4fd8285
SHA135b88b7248ca9dcdf8c23bc60ce8c816562b6219
SHA2561c511c565eae19d9a8244345375baae20b530e088b6dcc0e8bdb875d7c37e131
SHA51230393f29820a1954626a41540f15950a3fce4526ed758486bb949cfe4ee8cbef2a634f8e37f4973a3c6c8a45c429c03ada6511593b84dd4c988f8e0102fbfcd0
-
Filesize
204B
MD5bbe8583f9e8773d0c675439989bdb09a
SHA1e0269974096fe7555d89b6b359217730b6b1b90d
SHA256bd8808b03f476f52ac53338c11ce9d75f92a5d829e20dc5bcc7783cc01865807
SHA51231e0cd58dad137136a4843a85151efee8f34cde8c282e1606194cac807e2945c7c5edcae3241ff28e37b98020c492216cfef3b19748c868209a68c7b2f48ed19
-
Filesize
172B
MD5f3ed21f118893b12486815d2656b758e
SHA1d438044644371fdc7ead55a675971d60ba5b6a5e
SHA256c5dff8a3f833cd2ed34392a0496541d2de72cb16a6536f90df3fde5826dc51c0
SHA512ffa72064dac6dcf740fab2c3db12fd5462e1ee2224001deb80b6f5ddbeb180cb352d7e69f0467910d3f439d23a7ba400aaeb3e7d82332f5b4ff348a8c2a5e913
-
Filesize
2.6MB
MD5d8ee8dc43910b478dd7d9d92fe0071e1
SHA1c777932663e0f5f6eec327fdb2969f7caae01a33
SHA2563e18f2bd334c8b66dd332e0817e091cebd125bba22c1e128fdcaa025a968def7
SHA512855d29c3a9802993bc8a2614c50f22e655ca0c87728f51cb3fe2d3e7b0ed7af7df39c2819888117061d1f6808c9e6ffca97269824bcb21c1f7be37d51e337161
-
Filesize
683KB
MD5f454d81522ed7109ede29f80b0be07dd
SHA1ffc6a0844a6f2028191300bdba3979c560b76f99
SHA256a45c9ff8cc901b1702f139060c27d0c16d87861fe226b4182c816940f6ffc473
SHA51270ddb58be6167e7370c3fe74ec422aa52e045756307959b826bacfb977820e85dbca354c04aebf39d41329c036c750e232ebdcef4bb1ea15a09d58e48780743f
-
Filesize
339KB
MD5cdaa677df0a72ca1249b443945efb7ea
SHA18394e1140fe426e2c3c2c0d8434ba1262d5177e3
SHA256b16a5b08e31dc92faa667ba8f280a734ab16ba01da682c3eef5469414f1880cb
SHA512d0fe457dc200f5f7bee1cfbb80d6a1d2e7b58a1a9956a6a4f2d84fc065fd661d5fe54bb2d628e498dd9f7536f479d058c784dfd3f7add299d3570f4d57dc68de