Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:11

General

  • Target

    1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe

  • Size

    2.6MB

  • MD5

    ba2af45e14c853c016dafed96d8ca3f0

  • SHA1

    b5875c16fd475341015c586b3d2eb13f554e0734

  • SHA256

    1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98

  • SHA512

    4b834fe5ca5ae210103998e27df2b87c7ecb706594f1e341ad1223116264cfd2badb30c9a6184be7f92d642d25e60ea94e7c5fb0e2967d06ef34bd66d2000fc9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
    "C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2184
    • C:\IntelprocZV\xoptiec.exe
      C:\IntelprocZV\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocZV\xoptiec.exe

    Filesize

    2.6MB

    MD5

    afc6e9e67e2c0ee9bdafd320169bbd01

    SHA1

    b01ba196499b619a5aa566ae95cd8ea2bf43dc8f

    SHA256

    fef3c17437a21241fb0f6d93af4ad942ea3a5d3ddfd61eb0bc615a1413b6778d

    SHA512

    b259450e5bc0a5495ea304bdadd457b1a6803e79714310353eb0ec8221faf1a6c5635e5ff1c5348288a3beb1574bcb4deb6d8e304e15761e758345e0fc36f18f

  • C:\MintM7\bodxloc.exe

    Filesize

    2.6MB

    MD5

    8915f75343ebf76f45889099de3a956f

    SHA1

    bc0a5ab8d1618503e4aff46d192831918e6f87da

    SHA256

    2fc11407081529204f54d3548c777dd9c2da7312a65e0772c0ebfb9f1ff6ad2f

    SHA512

    ebae7dd948948ce41b41f5c5849adee2d446b7ec8d100e1bcbd86eb0208b93e9523b6ac8d09ddd2f84b7a582fd5c1397837de4e9a7bbcd732d8796d0f3f68284

  • C:\MintM7\bodxloc.exe

    Filesize

    2.6MB

    MD5

    d53aa90606c8163a2f41cc99b7e93921

    SHA1

    d1a6e6e8b4eae4b92603d53ffd37a0aa989c13b0

    SHA256

    f74c2d08bb2ff5f1b1e94d9af917490669f96d2eb2c5ccb8d7ca033771c35dcd

    SHA512

    661e9049504528f12d68d8085d38cb9159e13b5c7d1d84da07ea79535bc62d0f6f36a4c3d6a2613648d97f48307d83e98da5267212ddb556d942572c8a461519

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    f4ee47fbb0c12b0829c7a35d5029f774

    SHA1

    2dfdf0c2d8bb0160f62036399396eaceddc0b0ac

    SHA256

    ded3058e91cf40541546812be10e270bf63d8a17d965325ee226af95a181f47a

    SHA512

    58f98eb7861e0bfcb8d5b1e773608343cf62a32ba32d479d1f5323934a94c0850031ce9cd289b6363c99e684da5cb2d786df9f59d42a5f589f08616a99a47367

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    9ce1a4e927e43fc3c509f486a2452889

    SHA1

    03f3e3d6789be4f027f092ea23f4bdd17384f11c

    SHA256

    589eb4cc2e39c411a415f619e54078791d405d1f8d73b35d3142c124f4856e2f

    SHA512

    a813f7f8a142383f0d826e89a0530c92028517691d961fa813c60e5338770ae323662fb6c48b9ba4e306ba16ff116b18ddf1478071c395ffbe2fca8ca972881d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    f41c106dde71e666e4443019bc70b2dc

    SHA1

    59ec15e42004025517a3f684e2dc4d444144182a

    SHA256

    7758eacd14586ad40943e8058f4b86f22d4843ce1a2898272793d9333061ff42

    SHA512

    8a933d4405197928a099c7db0b9cb09150a68f2b9b806a41f1b52b4e73ac4fac45513aaac9fc46d07acd8c5751f6ef9a802f6b660ecea636163ee13b53839037