Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
Resource
win10v2004-20241007-en
General
-
Target
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
-
Size
2.6MB
-
MD5
5aef48c6c4105e9bae2f75d303ad0794
-
SHA1
d5e48de1a63ff8b1a73afeb8d3cb001ba2d9f0f4
-
SHA256
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106
-
SHA512
b1f12aab628149631fcfa40921da2ee2be9357d91e9b9f2cb6756ba67108f55bd691fefc25e6f30c9a1d0d89eb3314b4aeca519516e7931b8bd25724260d51f3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS2:sxX7QnxrloE5dpUp/bX
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe -
Executes dropped EXE 2 IoCs
Processes:
locxdob.exedevoptiec.exepid Process 4084 locxdob.exe 5060 devoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVW\\optixsys.exe" 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotT2\\devoptiec.exe" 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exelocxdob.exedevoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exelocxdob.exedevoptiec.exepid Process 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe 4084 locxdob.exe 4084 locxdob.exe 5060 devoptiec.exe 5060 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exedescription pid Process procid_target PID 3588 wrote to memory of 4084 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 86 PID 3588 wrote to memory of 4084 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 86 PID 3588 wrote to memory of 4084 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 86 PID 3588 wrote to memory of 5060 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 87 PID 3588 wrote to memory of 5060 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 87 PID 3588 wrote to memory of 5060 3588 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe"C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\UserDotT2\devoptiec.exeC:\UserDotT2\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5eea4aa3d13cff294fb9de101050d3b95
SHA18be9253d0215e54c585f56eadb2280278a3ef3fa
SHA2564bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5
SHA5128793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44
-
Filesize
2.6MB
MD5e883a7b2bf5da2640a7c07274a277e74
SHA1c13a864660f93cb0e6317ed0271e501e21abb457
SHA256e2fb9b194182ac05f171eccb542ad20dfc9b2342c2b5ef982b9a32463243c7f8
SHA5120b64d417734c270e613fc92853d22778fca9cba19f5aa850922561fc1807fb3e312cbc3cc1b4ba4de82fa0c5781993123978c04ac27f0a664813087e24012f5a
-
Filesize
2.6MB
MD5ce165c1620dec4a372e2598993fe31c2
SHA1827d3680cec6c24a5e1026e8ab0a26acaeec663b
SHA256848fa1114146980b2036ca9bd7d9e8e62f331bcd8dc0cad6106608746d486c24
SHA5127242a7a52759247d7be27cc6eb80d7b1f6391e6a93cf29908b4c72a5ba0613d638e319246eb5d78cb8b36a710219dded4dea0edd2c1975f097ec871e33fdb432
-
Filesize
205B
MD5e5f41508854e03fe98d16dd426865f1e
SHA1790260a6cc4da4509ff7020162fed5c338be91d3
SHA256b5db102b6e7d4030ce055d0d46ae0c81ccb02a801e6e57c7d0a82403450d36b6
SHA5120423e8b041306240b05964a88b1497deaeabf4da01727c28fc42a3a1a3ddf06d2a56dfb9e7900768e72360bae68c8e2a307b4ed7ca81ea5858cd6a61b66b9bca
-
Filesize
173B
MD5c7a301b9b2cc0b4d2ea424a2f197f920
SHA17125f9e254cb0d4597c4e23c36ca8bd01069c384
SHA256b1282584d51b310168d3a07641cdcf0815f9c716a8944a13b3251054c84aeb62
SHA5120d53e0b8d4c73305ea6c168a817c11b2cf5faa49a313614d5f37ea5559dc338904070767b0db77ebb81dd65ea4aa891762609d7bd845970217d7fc21dd593637
-
Filesize
2.6MB
MD513e9c021fa948e0ded92d99a6f07860f
SHA18ddadf3ee90ce88b8df24c2a915bfbc07d92f1f0
SHA25626ce8449e7a44c32d710def9f13927aac989559ea5796bfc24a36ba7233eeb0b
SHA5128cb325470717f041e4a492b14a111dbc5fb61b8175a7d4f8bf7d25e213dc81a57f1010a67a33da4cf6f9afdf89a4a3bcf126b3f3dfc7edcbf548c3ea5870c501