Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:47

General

  • Target

    e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe

  • Size

    2.6MB

  • MD5

    095d375e30551efe363dee87431283e0

  • SHA1

    ffd6bda3580ea75580b6d5f499b3b530228bf312

  • SHA256

    e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3

  • SHA512

    29b578038c227a9aea78e59d03865bf76a14fb6340a9c0cf87f56863f33e815e4d2b7509eacc4e1e29c17d05d726bf4e0d03ec0ee56688770972c3e5a8b939ec

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSm:sxX7QnxrloE5dpUpyb/

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
    "C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2336
    • C:\FilesR3\xoptiloc.exe
      C:\FilesR3\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesR3\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    94a84a81c40233294670e3c044c0ddcc

    SHA1

    f5a63a5f262db4c9b8ecb807692cd43b9e5ea37f

    SHA256

    6a5defae2c43fe2c60dbe9e108287030ab99947c84eab6569e62566df237d4da

    SHA512

    f39367e868049f5796be8459ce945691bdb92425b1657ce62aeece013b72a456aeab9d20c206e12b32ffcceefafc3bda6ac28e027846bf23bac7281306691974

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    4a5b362dd82ef873942d5aee8c5caea6

    SHA1

    e7dbf040b93fab5916aeec0ee4c64b40d72958b9

    SHA256

    925dd931721c6c457303638389d2ac7baac9d8ae8ac137fbd38c7259200c490d

    SHA512

    4dfee0637832e32ef8dd87f81f401d580781fc382c03cbfb1b47745138648564cf869ce5db2238f9fbfdf3ccba9201e3b3150064971fff65aafe3a0b83a31c79

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    c23d1d86c248b156c55e54b4a49c6542

    SHA1

    2d451ba9173c1f14512a11a8394f5f6e51227b7e

    SHA256

    e81a48de77590d17a5947d010ecc8c620f5fad1f67cd108c4b6ee70a9e1dfba3

    SHA512

    ac29886624b6603dd91035533a4e89c71cb5d53f8f9c1401556c8deb6e4c9bb4320678d2e7011013c1fc312a8bcc177cbd01d287f79ba2c8019f85f32388baf6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    aa5957fd4dda14be6cd7279cdefb49c6

    SHA1

    6b042eb4072db2e6d92bbfbcd51cd775684b1e1b

    SHA256

    fd563068e0cf2122dadc65b8950670c9852a1bf8b40dadefe59055c128ff7fcd

    SHA512

    dd69b273bba57b26419de8d7ad92040d98703dfad8560e204ccff1963634ec4f889b205392e519c429c3dd5cf681cd2a08c90bcf5a066c155783eafba7b038a8

  • C:\Vid0G\dobdevec.exe

    Filesize

    2.6MB

    MD5

    38c6cf3246405b92f7770b7dafb3884f

    SHA1

    ff31db2aeb9315c12ba5cea0e95fda8006295f80

    SHA256

    79803192c0668caa114f969bbfaba0c73a69276220f6f869897b8d610e2b3170

    SHA512

    6c183541b7b4ca410a706d518254e0b333b326fcf9b30bf0e2334e5cc9650f9908a97fc5d1777734a4929dca60365a3ae70a1f64433b7453bbd368704f0c4b85

  • C:\Vid0G\dobdevec.exe

    Filesize

    2.6MB

    MD5

    0dec7b60fe94670c6083b86b6412b7ee

    SHA1

    9b866a5fd59efabae794f91f359590f3c83b5299

    SHA256

    e885c5c011a2360ec7cc53457989e358d09233e0a9a6f7fbb1d5687f157e5dac

    SHA512

    49b93d3737afde7c66a9ded421bcb7a849f572ee984a450637515c4aa843afa996bd65bcdb5ad99f8622e9761f1a5ea4e60f8bd959c2360e3db94c77c4f36026