Analysis
-
max time kernel
149s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:11
Static task
static1
Behavioral task
behavioral1
Sample
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
Resource
win10v2004-20241007-en
General
-
Target
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
-
Size
2.6MB
-
MD5
ba2af45e14c853c016dafed96d8ca3f0
-
SHA1
b5875c16fd475341015c586b3d2eb13f554e0734
-
SHA256
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98
-
SHA512
4b834fe5ca5ae210103998e27df2b87c7ecb706594f1e341ad1223116264cfd2badb30c9a6184be7f92d642d25e60ea94e7c5fb0e2967d06ef34bd66d2000fc9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe -
Executes dropped EXE 2 IoCs
Processes:
locxopti.exexoptiec.exepid Process 2184 locxopti.exe 2680 xoptiec.exe -
Loads dropped DLL 2 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exepid Process 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZV\\xoptiec.exe" 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintM7\\bodxloc.exe" 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
xoptiec.exe1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exelocxopti.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exelocxopti.exexoptiec.exepid Process 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe 2184 locxopti.exe 2680 xoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exedescription pid Process procid_target PID 1040 wrote to memory of 2184 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 29 PID 1040 wrote to memory of 2184 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 29 PID 1040 wrote to memory of 2184 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 29 PID 1040 wrote to memory of 2184 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 29 PID 1040 wrote to memory of 2680 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 30 PID 1040 wrote to memory of 2680 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 30 PID 1040 wrote to memory of 2680 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 30 PID 1040 wrote to memory of 2680 1040 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
-
C:\IntelprocZV\xoptiec.exeC:\IntelprocZV\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5afc6e9e67e2c0ee9bdafd320169bbd01
SHA1b01ba196499b619a5aa566ae95cd8ea2bf43dc8f
SHA256fef3c17437a21241fb0f6d93af4ad942ea3a5d3ddfd61eb0bc615a1413b6778d
SHA512b259450e5bc0a5495ea304bdadd457b1a6803e79714310353eb0ec8221faf1a6c5635e5ff1c5348288a3beb1574bcb4deb6d8e304e15761e758345e0fc36f18f
-
Filesize
2.6MB
MD58915f75343ebf76f45889099de3a956f
SHA1bc0a5ab8d1618503e4aff46d192831918e6f87da
SHA2562fc11407081529204f54d3548c777dd9c2da7312a65e0772c0ebfb9f1ff6ad2f
SHA512ebae7dd948948ce41b41f5c5849adee2d446b7ec8d100e1bcbd86eb0208b93e9523b6ac8d09ddd2f84b7a582fd5c1397837de4e9a7bbcd732d8796d0f3f68284
-
Filesize
2.6MB
MD5d53aa90606c8163a2f41cc99b7e93921
SHA1d1a6e6e8b4eae4b92603d53ffd37a0aa989c13b0
SHA256f74c2d08bb2ff5f1b1e94d9af917490669f96d2eb2c5ccb8d7ca033771c35dcd
SHA512661e9049504528f12d68d8085d38cb9159e13b5c7d1d84da07ea79535bc62d0f6f36a4c3d6a2613648d97f48307d83e98da5267212ddb556d942572c8a461519
-
Filesize
173B
MD5f4ee47fbb0c12b0829c7a35d5029f774
SHA12dfdf0c2d8bb0160f62036399396eaceddc0b0ac
SHA256ded3058e91cf40541546812be10e270bf63d8a17d965325ee226af95a181f47a
SHA51258f98eb7861e0bfcb8d5b1e773608343cf62a32ba32d479d1f5323934a94c0850031ce9cd289b6363c99e684da5cb2d786df9f59d42a5f589f08616a99a47367
-
Filesize
205B
MD59ce1a4e927e43fc3c509f486a2452889
SHA103f3e3d6789be4f027f092ea23f4bdd17384f11c
SHA256589eb4cc2e39c411a415f619e54078791d405d1f8d73b35d3142c124f4856e2f
SHA512a813f7f8a142383f0d826e89a0530c92028517691d961fa813c60e5338770ae323662fb6c48b9ba4e306ba16ff116b18ddf1478071c395ffbe2fca8ca972881d
-
Filesize
2.6MB
MD5f41c106dde71e666e4443019bc70b2dc
SHA159ec15e42004025517a3f684e2dc4d444144182a
SHA2567758eacd14586ad40943e8058f4b86f22d4843ce1a2898272793d9333061ff42
SHA5128a933d4405197928a099c7db0b9cb09150a68f2b9b806a41f1b52b4e73ac4fac45513aaac9fc46d07acd8c5751f6ef9a802f6b660ecea636163ee13b53839037