Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:47
Static task
static1
Behavioral task
behavioral1
Sample
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
Resource
win10v2004-20241007-en
General
-
Target
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
-
Size
2.6MB
-
MD5
095d375e30551efe363dee87431283e0
-
SHA1
ffd6bda3580ea75580b6d5f499b3b530228bf312
-
SHA256
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3
-
SHA512
29b578038c227a9aea78e59d03865bf76a14fb6340a9c0cf87f56863f33e815e4d2b7509eacc4e1e29c17d05d726bf4e0d03ec0ee56688770972c3e5a8b939ec
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSm:sxX7QnxrloE5dpUpyb/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevbod.exexoptiloc.exepid Process 2336 locdevbod.exe 212 xoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0G\\dobdevec.exe" e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesR3\\xoptiloc.exe" e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exelocdevbod.exexoptiloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exelocdevbod.exexoptiloc.exepid Process 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe 2336 locdevbod.exe 2336 locdevbod.exe 212 xoptiloc.exe 212 xoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exedescription pid Process procid_target PID 1536 wrote to memory of 2336 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 87 PID 1536 wrote to memory of 2336 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 87 PID 1536 wrote to memory of 2336 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 87 PID 1536 wrote to memory of 212 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 88 PID 1536 wrote to memory of 212 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 88 PID 1536 wrote to memory of 212 1536 e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe"C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
-
C:\FilesR3\xoptiloc.exeC:\FilesR3\xoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD594a84a81c40233294670e3c044c0ddcc
SHA1f5a63a5f262db4c9b8ecb807692cd43b9e5ea37f
SHA2566a5defae2c43fe2c60dbe9e108287030ab99947c84eab6569e62566df237d4da
SHA512f39367e868049f5796be8459ce945691bdb92425b1657ce62aeece013b72a456aeab9d20c206e12b32ffcceefafc3bda6ac28e027846bf23bac7281306691974
-
Filesize
203B
MD54a5b362dd82ef873942d5aee8c5caea6
SHA1e7dbf040b93fab5916aeec0ee4c64b40d72958b9
SHA256925dd931721c6c457303638389d2ac7baac9d8ae8ac137fbd38c7259200c490d
SHA5124dfee0637832e32ef8dd87f81f401d580781fc382c03cbfb1b47745138648564cf869ce5db2238f9fbfdf3ccba9201e3b3150064971fff65aafe3a0b83a31c79
-
Filesize
171B
MD5c23d1d86c248b156c55e54b4a49c6542
SHA12d451ba9173c1f14512a11a8394f5f6e51227b7e
SHA256e81a48de77590d17a5947d010ecc8c620f5fad1f67cd108c4b6ee70a9e1dfba3
SHA512ac29886624b6603dd91035533a4e89c71cb5d53f8f9c1401556c8deb6e4c9bb4320678d2e7011013c1fc312a8bcc177cbd01d287f79ba2c8019f85f32388baf6
-
Filesize
2.6MB
MD5aa5957fd4dda14be6cd7279cdefb49c6
SHA16b042eb4072db2e6d92bbfbcd51cd775684b1e1b
SHA256fd563068e0cf2122dadc65b8950670c9852a1bf8b40dadefe59055c128ff7fcd
SHA512dd69b273bba57b26419de8d7ad92040d98703dfad8560e204ccff1963634ec4f889b205392e519c429c3dd5cf681cd2a08c90bcf5a066c155783eafba7b038a8
-
Filesize
2.6MB
MD538c6cf3246405b92f7770b7dafb3884f
SHA1ff31db2aeb9315c12ba5cea0e95fda8006295f80
SHA25679803192c0668caa114f969bbfaba0c73a69276220f6f869897b8d610e2b3170
SHA5126c183541b7b4ca410a706d518254e0b333b326fcf9b30bf0e2334e5cc9650f9908a97fc5d1777734a4929dca60365a3ae70a1f64433b7453bbd368704f0c4b85
-
Filesize
2.6MB
MD50dec7b60fe94670c6083b86b6412b7ee
SHA19b866a5fd59efabae794f91f359590f3c83b5299
SHA256e885c5c011a2360ec7cc53457989e358d09233e0a9a6f7fbb1d5687f157e5dac
SHA51249b93d3737afde7c66a9ded421bcb7a849f572ee984a450637515c4aa843afa996bd65bcdb5ad99f8622e9761f1a5ea4e60f8bd959c2360e3db94c77c4f36026