Analysis
-
max time kernel
119s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 14:02
Static task
static1
Behavioral task
behavioral1
Sample
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe
Resource
win10v2004-20241007-en
General
-
Target
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe
-
Size
2.6MB
-
MD5
aac09bdd2392a2bd5b0f983971740f48
-
SHA1
7cff1a49e05e3f288540556e3def7d836973b3dd
-
SHA256
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721
-
SHA512
d4007105435f1d06de9ef1f5f3333f8375a73f88dbd2ee60582a296786334916b85aa9d31cc7ef0a5be571ca4f3b75ef3b1c9229cd9f56ba22ab95aa5cf79fc4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSy:sxX7QnxrloE5dpUpsb1
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe -
Executes dropped EXE 2 IoCs
Processes:
locxopti.exexdobsys.exepid Process 1908 locxopti.exe 4868 xdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3C\\xdobsys.exe" 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRA\\dobaec.exe" 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exelocxopti.exexdobsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exelocxopti.exexdobsys.exepid Process 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe 1908 locxopti.exe 1908 locxopti.exe 4868 xdobsys.exe 4868 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exedescription pid Process procid_target PID 2084 wrote to memory of 1908 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 86 PID 2084 wrote to memory of 1908 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 86 PID 2084 wrote to memory of 1908 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 86 PID 2084 wrote to memory of 4868 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 87 PID 2084 wrote to memory of 4868 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 87 PID 2084 wrote to memory of 4868 2084 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe"C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
-
C:\Adobe3C\xdobsys.exeC:\Adobe3C\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD52993743e97101bcc2692d14a9df3b0ac
SHA16dfadb8e5770f049f1ff6bf105439012ad76cb42
SHA25657805ba6bb90791255d15d49daf1b3641772b7d4d19babdc1e0bee563385c1be
SHA5122b18954105ebf5fa991b2844f7a09bc867b44441c8cabb386ce9a7474d28f0d9f3fa4ff09aea02d6bb96a5da288480a1f05a138e5c4c32b18a96c6a810645dea
-
Filesize
2.6MB
MD5686d01bc1fa8e85df198030cc4d4b461
SHA16f50cd93019259b028d37524e0f632706f7dce5d
SHA2563b8153f09a41e15f81b89c963fa8f0ca96ac19ad6081ecd1c8bb0fdb40a2b9ff
SHA512d14355d7e1e25cc66719d0c8c503cc510ed666c30dfebfc2d5d0f35c827504e1e7545b9de09708d6010891a94996bde4ddd18b941071a563cdfc8dd024403cf7
-
Filesize
212KB
MD5312ac801da99bd2f9040a19a077f69f5
SHA1575cae10b4a905ee4a07f2ced1198513d56afb75
SHA256e2e92a74dd30766f9efd9436c4f531fbd18521a2ba827df313428169cba731fa
SHA5125465519163220070a61f32824852ab8ae5ab84367afb95b78538d19b03720409c82833d08e1012a6b6a5a71f0222a256f59c3f761555d7770eaac26111c756e2
-
Filesize
723KB
MD5fdd2527e3688aab6c6b1e76c7de10c73
SHA18f94b17fd6aee482fc863022984501c8acfe255d
SHA2562977ee280cdd347385da19d1a3a571b6818e0ca471a2d2f65051427be2bb4853
SHA512bc086b179f2f15033524edfeac1d02843818a4635492f8bca9005efa044ce50ae6ebab7de04275244568161b912295058d630c926c3615559f95186f5457db67
-
Filesize
200B
MD59b9f1c265392b1e48922f3ba5c5f7cf2
SHA170c3e76134ba0a7283efeb45fdbfd64c12e27a68
SHA256b23a2c057038e804b2467302cccb5c6154efd7d44a5f9a41996d07c86d0a8bc3
SHA5124c05cb6cb212aff4287efb01b8d1bcaa86ddc4720c787fd7593931f82ecdecf8609dc61eb96f61a42421e32508f8a0b5108266adb46e9732532862dc31f65cd8
-
Filesize
168B
MD5ffc0d1cd4946c34dcc17614e4d2ea031
SHA179352c77ef6bf8c2da257c9b3d9dcb66a3ece370
SHA256071732c6e8dac28221c7fcb8143c088b04ad6134101138c066bd30d1eb53237c
SHA512b2a06dfb5e1e4fb617c188ac572cde0b71a9757d28fa042177014b51c217973e430fe308c60b40595181559ee6924a15fe51f9714ac8ec6a6149339304b8ed17
-
Filesize
2.6MB
MD583013bb49262fccd5f50d83e8125e78d
SHA14cc44c01dd222c56f65fe85aea891d6a85f9ac6e
SHA256e06920e3bc7d0b4711791aab03bdd52674c1c4321ddad9acb4ded3dd703a1ca9
SHA51280231f95f4a8ca31d4ee28f255410ccffb2cb272aeb055995cc0d8aee15522b6e87aa1d4418625e4d0b3077d3c083946c21fcfac5eaef6979934916faa4df198