Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:36
Static task
static1
Behavioral task
behavioral1
Sample
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe
Resource
win10v2004-20241007-en
General
-
Target
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe
-
Size
2.6MB
-
MD5
a6d513ce453adbb9d7e7eca7db2e6890
-
SHA1
e9b8a491095e05b9325c60b26ab25efa78a8ccbb
-
SHA256
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24b
-
SHA512
8245d660844ca779b56a557807fc64d5425ab5f33760fe77391e2b199df05c0f5cf27330d451366e480f9012002896297ae129a0ca6f6e1689af780a4acafdeb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUphbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe -
Executes dropped EXE 2 IoCs
Processes:
locxopti.exedevbodloc.exepid Process 2460 locxopti.exe 2572 devbodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exepid Process 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2V\\devbodloc.exe" bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5J\\dobdevec.exe" bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exelocxopti.exedevbodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exelocxopti.exedevbodloc.exepid Process 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe 2460 locxopti.exe 2572 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exedescription pid Process procid_target PID 2476 wrote to memory of 2460 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 30 PID 2476 wrote to memory of 2460 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 30 PID 2476 wrote to memory of 2460 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 30 PID 2476 wrote to memory of 2460 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 30 PID 2476 wrote to memory of 2572 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 31 PID 2476 wrote to memory of 2572 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 31 PID 2476 wrote to memory of 2572 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 31 PID 2476 wrote to memory of 2572 2476 bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe"C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
C:\UserDot2V\devbodloc.exeC:\UserDot2V\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD588513c9507b61c3c038a6535a2e6eadf
SHA185ec769a42853d78e6a364250699bb8a53d9d253
SHA2564a5542edb299e20ff357cee226e596eff5236d54c5aeb084c5173956b82eea56
SHA512af523e204c1e2d28549fafddc275c1e5ba2baf52a6851c88992813cc65001f9e8229086e16fabdfacc4464a62579d32e5a30808c51b3d070f1eb123a1cc3dadd
-
Filesize
2.6MB
MD50c4b668974c8c7d932296aa3af0f3a68
SHA1bbfca419d62b11dd80a84a98f0ad08511864c902
SHA256e4ef7d46dbe2bbb074f2eb5e038ad2603f3206a187cdbf0ad769cc71991c92c7
SHA5128f7ab8abd47e2b22a74f0fa6440833321415124f15d3ec75c71d20884fb2a01c84c93f0d2b7d096d870ab9de9479cdb001ab7c0658c9dc42b0d7a0f7df9188e8
-
Filesize
174B
MD536e48f8be83078a0a1c8ce16ebcb202c
SHA14d7e3b631d92e55701c9a43b1aa4c0aba0ff441a
SHA2567d0ec97bfc24bb5b95e83be2edc797a190e718326d5ae6acb2d1232b47f3d13a
SHA512a37c6ca1f7742dbe234bd6a0f9c9e480807e798aef03c6f166cd2504b47a2adedf10922a29002aa04462c10fbea330d330c96d137bc53eda8b80c8ff30c7b283
-
Filesize
206B
MD5a839448bfcc927ed6f7a759bb8bee5f0
SHA191d817bd3af6228e080dd588382d2b27c4175153
SHA256fbe46dcbf7c3ef94cb0dec1971d7b59ea4c383030bac384fa21debc1cfde3137
SHA512a7213316c8449c959f41d0dbb4ad30f513c1b3e9d003aebecd4212543fba53fe6e432b4a13ad319adaea46140226d20a8b5d279b54bcfe99e7b563461faf1cf3
-
Filesize
2.6MB
MD5186667be31ac95e94a39557d276d523b
SHA1e158aea3d7167e8db941c160b557b36a8f67fa6f
SHA256ea3f55b8fa56dd7313e91997abb3c8aa14776c83ee5260788611790e119f97fb
SHA51214354235bb38d3757257f41d5a9eb8bec7506a5fdafa70eb86011cbdcebb6afff1f455435399898751f3929ec58c19eb08b3fe7540c5c9b97b3a0dd48a7f880f