Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:11
Static task
static1
Behavioral task
behavioral1
Sample
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
Resource
win10v2004-20241007-en
General
-
Target
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
-
Size
2.6MB
-
MD5
ba2af45e14c853c016dafed96d8ca3f0
-
SHA1
b5875c16fd475341015c586b3d2eb13f554e0734
-
SHA256
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98
-
SHA512
4b834fe5ca5ae210103998e27df2b87c7ecb706594f1e341ad1223116264cfd2badb30c9a6184be7f92d642d25e60ea94e7c5fb0e2967d06ef34bd66d2000fc9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe -
Executes dropped EXE 2 IoCs
Processes:
locxopti.exexoptiec.exepid Process 5076 locxopti.exe 3832 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX1\\xoptiec.exe" 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBT\\optixec.exe" 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exelocxopti.exexoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exelocxopti.exexoptiec.exepid Process 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe 5076 locxopti.exe 5076 locxopti.exe 3832 xoptiec.exe 3832 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exedescription pid Process procid_target PID 3404 wrote to memory of 5076 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 87 PID 3404 wrote to memory of 5076 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 87 PID 3404 wrote to memory of 5076 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 87 PID 3404 wrote to memory of 3832 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 90 PID 3404 wrote to memory of 3832 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 90 PID 3404 wrote to memory of 3832 3404 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
-
C:\UserDotX1\xoptiec.exeC:\UserDotX1\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53e90888723ef6453ef311c2cca51961a
SHA1934ffcab17d793714237465cd0c7aa54d61b40dc
SHA25680c21d1bb45390d3aed6f889b99a12f8c56b791f1b4ec1fa35d0146076b88fab
SHA5123c796cc66ec2fe1912c351fc67425497682a3eb39da585ca001bba14791933194d050cee9b80c407f83fc5c386bdc6508bc0dbb198ef16401dca3258ac229e2e
-
Filesize
1.5MB
MD5432c3b0fedc10012d22702bb73fd808a
SHA1c31a75b9658ffd6eeda112176cf54bf4c654fbac
SHA256d5cc060fe7c1019c0c3e627ac5166e0de80ae565c537e988cacabebda5a5c06d
SHA5123175929d1fd3b28a809a049e7937f40fb2aec7046b3d08d8b2235b2926808adfce193d45d67654a08a71eb58b67deb4fd162bc76431c634db6e2ee5619da31a6
-
Filesize
2.6MB
MD513913dda2d22ae3855967e28e905dd4e
SHA1467910f29dcc8ad22f18f8edc6177e1926fa9b68
SHA2565e913e0a886e3268f247c8f3ddebe7e074bdef466da488775a30eb8bdf233748
SHA5123c1ba249d07fd8f30d6471d7e81e4fadb850b41bcddb38fe2984efc66c051fadb4b5734fa12d8e0af8f9b5d6b7bf85dca9c1ea76378fb6fe61d2baf86b5e9206
-
Filesize
203B
MD5794e353a0ccf79f7a8e532fe7eebe60e
SHA1260ba0cec60050a56c527c04c7c48e6f0c0fb315
SHA256d089546a734f66ab113b0abc42e10f954775722a4b0046d045a812104ed2929d
SHA51283c5a06a7117e409533d2e5eadf7d2823884fb34efb2433ced8e33971a4435d4e2af02a7878fe395ac3ec572ea98328bdb8999b61d376b08c530420d5b0c59b7
-
Filesize
171B
MD5885a5960605a1d7053c6134191643cfb
SHA1569a1be0eda07b3629683be036523a554b7a989d
SHA2562fefd288cca9819f6a3f570af80b227b271bcfa50b298e08cf5110a2ca145a0d
SHA512ed84d15674385bf798199422b3dd7e26c93f87806db9c3b379a64c4c224c84035eb921ab37a6f604d35e5e8acb3038d5c15660dcabeb90b80a720ad9861e69d3
-
Filesize
2.6MB
MD5a6c18a0429c022b001abe9a30e91d826
SHA1496923baf87d7b33dd0b7f6bc3a7d11ea6d14545
SHA256b6846b96bd3ad0fbde43c42c34cdb4363fd12a1a737c562d32824152179da0a9
SHA5125dbfa438af4135bac12a6695c9e1cddbe5e4662fe576e4427e75308a0b2d3b1453c7938a076a5e021a7ecd50e0b2e62b1c171aebff6a936989bb7214f3d590e9