Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:12
Static task
static1
Behavioral task
behavioral1
Sample
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe
Resource
win10v2004-20241007-en
General
-
Target
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe
-
Size
2.6MB
-
MD5
303375e6c1dc4ae37aebfc2e21aca00b
-
SHA1
278d1dfdc0cddaa330497886071a47b6fda10393
-
SHA256
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5
-
SHA512
55ef61511a4fedae753d0812e64ffb071f84c00663e290aebc5364dd3260d13d5ce9a5da243bebbbf6211524b6b20df53ba577ea7e107b79233112bae41bad36
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSC:sxX7QnxrloE5dpUpfbF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe -
Executes dropped EXE 2 IoCs
Processes:
locaopti.exexdobsys.exepid Process 2156 locaopti.exe 3056 xdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exepid Process 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4H\\optidevsys.exe" f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIE\\xdobsys.exe" f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exelocaopti.exexdobsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exelocaopti.exexdobsys.exepid Process 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe 2156 locaopti.exe 3056 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exedescription pid Process procid_target PID 2368 wrote to memory of 2156 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 30 PID 2368 wrote to memory of 2156 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 30 PID 2368 wrote to memory of 2156 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 30 PID 2368 wrote to memory of 2156 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 30 PID 2368 wrote to memory of 3056 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 31 PID 2368 wrote to memory of 3056 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 31 PID 2368 wrote to memory of 3056 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 31 PID 2368 wrote to memory of 3056 2368 f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe"C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\SysDrvIE\xdobsys.exeC:\SysDrvIE\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55229a911794802f5b3224f6297e859f2
SHA1408b664f7a19a1a4b414d9fcd5cee33ceea44d88
SHA256ea5adf6f963a1204f4230aeb4709036364c39e05988dfed934aeaca70580168a
SHA51279546ef9c775affeb000484c4ec1377a7520407682cd12e3c963ca4a5249306ba77dc451d2548a045207bd140e99c177b17e74b7e82353973c5590f964fd3e35
-
Filesize
2.6MB
MD5866eb830de02190aea863a2d3b9f1b3d
SHA104d53ceef236e5adc1e8745d1e8d3d839fe5f12b
SHA256f599bf3f3ea87c7a3256a107cb2b6553639fee002a1375f478404273bbd15f71
SHA512726dfbd80917eba3099217e01f70d2c0787191f79a61e784d5340cdd734dad9603fc5e0b63419b810051a985c56647c4f9aad857b375b310168da5d8a2ff3c42
-
Filesize
7KB
MD520ec6effd447fb35f7db816f8c616148
SHA1c8c9edd9f30b93dc161fc035c69b57e7af305dce
SHA25643b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7
SHA5126a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf
-
Filesize
173B
MD5c7bb447f15b5e99ea6e58dfd2cbbb0de
SHA16eede5977dcba1bc9836d8129977770a96544240
SHA25683bf919010cfa84fe90206407e71d682a5735cd86eaf9ff9202ea28a2f30fdad
SHA51247c33d1a6eba2b4fff2e00f7e47524a5946de54f98a094424e4efeed4890c94d618985adf0ade96735b1d5698cdd6f6520e23bf180b0dcddbbeafdce40be7c4b
-
Filesize
205B
MD5809ccf47b1d8466b08b8c682210db16f
SHA151dd1a370a73493938aefc3a7f11ddac6d4c50d2
SHA2567b34046294ba1f4054ec42ca4f33bc5387760ef820dcc90bc5799dea487d102e
SHA512e44ec54b73697ea4bdf0dee66ab6c7eed959476ff907ac1f464f5d22e7c8276790e20c74f6dbb9bfaa7448dd38d35b5b9dcb21628c842596f11073718445de37
-
Filesize
2.6MB
MD59f075bb7210d96f1baecef4dd5410b2d
SHA1d3fee560085540ce4c7120c48ca886d9954ad606
SHA25603076c81317e05fd6815878f086f754d6b0855610660e584c2866ca886206a22
SHA5128da20e5dddc9ff7f9d8be77ca38e8d05b226a006ccea44e28e88dbaec000e9a07a8449c731ad390a2322ab412c8b9101ac8c0742ba742ba0fbf1955a2fc7000f
-
Filesize
2.6MB
MD564ef65325db8b46385924af1bef098bf
SHA1fb4dc6511423502585a7e1420380272e61691173
SHA25600a9ae0505eac77d67e0be555346cc357a88e74097ede3becb65bce0ba7cee66
SHA5124cfaa25bd58f8cc83cfd586c8d89341adb493c35fe9fbabb2a14a8750388ee9e7e4225000edcb5d0ada2fcbeba0ce849d17b02045148c55a9d4409b90fa0ec7a