Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:11

General

  • Target

    1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe

  • Size

    2.6MB

  • MD5

    ba2af45e14c853c016dafed96d8ca3f0

  • SHA1

    b5875c16fd475341015c586b3d2eb13f554e0734

  • SHA256

    1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98

  • SHA512

    4b834fe5ca5ae210103998e27df2b87c7ecb706594f1e341ad1223116264cfd2badb30c9a6184be7f92d642d25e60ea94e7c5fb0e2967d06ef34bd66d2000fc9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpHb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
    "C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5076
    • C:\UserDotX1\xoptiec.exe
      C:\UserDotX1\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZBT\optixec.exe

    Filesize

    2.6MB

    MD5

    3e90888723ef6453ef311c2cca51961a

    SHA1

    934ffcab17d793714237465cd0c7aa54d61b40dc

    SHA256

    80c21d1bb45390d3aed6f889b99a12f8c56b791f1b4ec1fa35d0146076b88fab

    SHA512

    3c796cc66ec2fe1912c351fc67425497682a3eb39da585ca001bba14791933194d050cee9b80c407f83fc5c386bdc6508bc0dbb198ef16401dca3258ac229e2e

  • C:\LabZBT\optixec.exe

    Filesize

    1.5MB

    MD5

    432c3b0fedc10012d22702bb73fd808a

    SHA1

    c31a75b9658ffd6eeda112176cf54bf4c654fbac

    SHA256

    d5cc060fe7c1019c0c3e627ac5166e0de80ae565c537e988cacabebda5a5c06d

    SHA512

    3175929d1fd3b28a809a049e7937f40fb2aec7046b3d08d8b2235b2926808adfce193d45d67654a08a71eb58b67deb4fd162bc76431c634db6e2ee5619da31a6

  • C:\UserDotX1\xoptiec.exe

    Filesize

    2.6MB

    MD5

    13913dda2d22ae3855967e28e905dd4e

    SHA1

    467910f29dcc8ad22f18f8edc6177e1926fa9b68

    SHA256

    5e913e0a886e3268f247c8f3ddebe7e074bdef466da488775a30eb8bdf233748

    SHA512

    3c1ba249d07fd8f30d6471d7e81e4fadb850b41bcddb38fe2984efc66c051fadb4b5734fa12d8e0af8f9b5d6b7bf85dca9c1ea76378fb6fe61d2baf86b5e9206

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    794e353a0ccf79f7a8e532fe7eebe60e

    SHA1

    260ba0cec60050a56c527c04c7c48e6f0c0fb315

    SHA256

    d089546a734f66ab113b0abc42e10f954775722a4b0046d045a812104ed2929d

    SHA512

    83c5a06a7117e409533d2e5eadf7d2823884fb34efb2433ced8e33971a4435d4e2af02a7878fe395ac3ec572ea98328bdb8999b61d376b08c530420d5b0c59b7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    885a5960605a1d7053c6134191643cfb

    SHA1

    569a1be0eda07b3629683be036523a554b7a989d

    SHA256

    2fefd288cca9819f6a3f570af80b227b271bcfa50b298e08cf5110a2ca145a0d

    SHA512

    ed84d15674385bf798199422b3dd7e26c93f87806db9c3b379a64c4c224c84035eb921ab37a6f604d35e5e8acb3038d5c15660dcabeb90b80a720ad9861e69d3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    a6c18a0429c022b001abe9a30e91d826

    SHA1

    496923baf87d7b33dd0b7f6bc3a7d11ea6d14545

    SHA256

    b6846b96bd3ad0fbde43c42c34cdb4363fd12a1a737c562d32824152179da0a9

    SHA512

    5dbfa438af4135bac12a6695c9e1cddbe5e4662fe576e4427e75308a0b2d3b1453c7938a076a5e021a7ecd50e0b2e62b1c171aebff6a936989bb7214f3d590e9