Analysis

  • max time kernel
    120s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:51

General

  • Target

    2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe

  • Size

    2.6MB

  • MD5

    5aef48c6c4105e9bae2f75d303ad0794

  • SHA1

    d5e48de1a63ff8b1a73afeb8d3cb001ba2d9f0f4

  • SHA256

    2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106

  • SHA512

    b1f12aab628149631fcfa40921da2ee2be9357d91e9b9f2cb6756ba67108f55bd691fefc25e6f30c9a1d0d89eb3314b4aeca519516e7931b8bd25724260d51f3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS2:sxX7QnxrloE5dpUp/bX

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
    "C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4084
    • C:\UserDotT2\devoptiec.exe
      C:\UserDotT2\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBVW\optixsys.exe

    Filesize

    14KB

    MD5

    eea4aa3d13cff294fb9de101050d3b95

    SHA1

    8be9253d0215e54c585f56eadb2280278a3ef3fa

    SHA256

    4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5

    SHA512

    8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44

  • C:\KaVBVW\optixsys.exe

    Filesize

    2.6MB

    MD5

    e883a7b2bf5da2640a7c07274a277e74

    SHA1

    c13a864660f93cb0e6317ed0271e501e21abb457

    SHA256

    e2fb9b194182ac05f171eccb542ad20dfc9b2342c2b5ef982b9a32463243c7f8

    SHA512

    0b64d417734c270e613fc92853d22778fca9cba19f5aa850922561fc1807fb3e312cbc3cc1b4ba4de82fa0c5781993123978c04ac27f0a664813087e24012f5a

  • C:\UserDotT2\devoptiec.exe

    Filesize

    2.6MB

    MD5

    ce165c1620dec4a372e2598993fe31c2

    SHA1

    827d3680cec6c24a5e1026e8ab0a26acaeec663b

    SHA256

    848fa1114146980b2036ca9bd7d9e8e62f331bcd8dc0cad6106608746d486c24

    SHA512

    7242a7a52759247d7be27cc6eb80d7b1f6391e6a93cf29908b4c72a5ba0613d638e319246eb5d78cb8b36a710219dded4dea0edd2c1975f097ec871e33fdb432

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    e5f41508854e03fe98d16dd426865f1e

    SHA1

    790260a6cc4da4509ff7020162fed5c338be91d3

    SHA256

    b5db102b6e7d4030ce055d0d46ae0c81ccb02a801e6e57c7d0a82403450d36b6

    SHA512

    0423e8b041306240b05964a88b1497deaeabf4da01727c28fc42a3a1a3ddf06d2a56dfb9e7900768e72360bae68c8e2a307b4ed7ca81ea5858cd6a61b66b9bca

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    c7a301b9b2cc0b4d2ea424a2f197f920

    SHA1

    7125f9e254cb0d4597c4e23c36ca8bd01069c384

    SHA256

    b1282584d51b310168d3a07641cdcf0815f9c716a8944a13b3251054c84aeb62

    SHA512

    0d53e0b8d4c73305ea6c168a817c11b2cf5faa49a313614d5f37ea5559dc338904070767b0db77ebb81dd65ea4aa891762609d7bd845970217d7fc21dd593637

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    13e9c021fa948e0ded92d99a6f07860f

    SHA1

    8ddadf3ee90ce88b8df24c2a915bfbc07d92f1f0

    SHA256

    26ce8449e7a44c32d710def9f13927aac989559ea5796bfc24a36ba7233eeb0b

    SHA512

    8cb325470717f041e4a492b14a111dbc5fb61b8175a7d4f8bf7d25e213dc81a57f1010a67a33da4cf6f9afdf89a4a3bcf126b3f3dfc7edcbf548c3ea5870c501