Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:12

General

  • Target

    f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe

  • Size

    2.6MB

  • MD5

    303375e6c1dc4ae37aebfc2e21aca00b

  • SHA1

    278d1dfdc0cddaa330497886071a47b6fda10393

  • SHA256

    f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5

  • SHA512

    55ef61511a4fedae753d0812e64ffb071f84c00663e290aebc5364dd3260d13d5ce9a5da243bebbbf6211524b6b20df53ba577ea7e107b79233112bae41bad36

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSC:sxX7QnxrloE5dpUpfbF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe
    "C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2792
    • C:\Adobe9Q\xoptiec.exe
      C:\Adobe9Q\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe9Q\xoptiec.exe

    Filesize

    1.1MB

    MD5

    adc6ebf169b2e7595c7f3d17d6e632fc

    SHA1

    01a43b9ac810020d85bcb2427ac996c1ffe0506b

    SHA256

    d8f7c9d239c73fd9277299a33f8b8f8dfee85af3934ff2e4eaf6756137c25d96

    SHA512

    92063efb14969f07edaedfc959764b6ed8741dde367fff74adb32ac3677c8eb3005eb0a517237de98c77f76a2fa76ff0bb9b95f497ff7ec0bc8315efe71cd700

  • C:\Adobe9Q\xoptiec.exe

    Filesize

    2.6MB

    MD5

    efa9ef7c86dcea37dec00950513e1c69

    SHA1

    a48e659c7c3d9684023609b78aa5be1356bf818b

    SHA256

    9443841c89a34c9d3e9cf34c9acc7eaea199b3103fa19b24a79ba840f5cada03

    SHA512

    209ed267fbffbd3ab7033ad1f632f55d56ff547419dd1d076dc4ee772d7bea949441d4bd8e6f750b50455b0129a5bb985add6af5fa6d7f6a05571ba7c06a08b7

  • C:\Mint4E\bodaec.exe

    Filesize

    2.6MB

    MD5

    8803a5b4e8c1cc005317d66276f59b0b

    SHA1

    da7a4c2088cdd86cdc9422fc889b84459c6b0967

    SHA256

    321049426c502347162908ef552de288adbeb3343e72cc7d69ca634f07068f28

    SHA512

    11ca36e233186d93d3911822ae51caf69cea3a776b9a8c08d125251d249350bd3b89a360cf5975ddf1ba9213176442492d74458caf8f6fdec5e19c8e0c6a20c0

  • C:\Mint4E\bodaec.exe

    Filesize

    459KB

    MD5

    9394db8b2e8247758dffe606c57eb9ac

    SHA1

    bb28b7a3d9ecc8d69d82152904ff36bb243987b9

    SHA256

    3c671c5358f2eb7c0c0887974be9d5266501dc5fe74e20a8156d8f2448c483fa

    SHA512

    35893cc8fddbd2c967009b13d0451e3576c10aabedb683a2574d9e470df0680e11c133853c8d5aef1cc0b6bd04368ae10d72273deaf27102ba985f4a77e86fe2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    199B

    MD5

    d4df9bff94d201ef91de24e4ae699ff3

    SHA1

    8d487c0aeffc53e24c8c2ee742e7d571595acaf1

    SHA256

    d505df219df310b23e3e2f014f59a128c5c30eb714c73387b0d5b741e5eecce2

    SHA512

    a1ef66ff8922bea2564d1861f520919ee99b35f0e7b696c88f65dcb9b06da037c686a0af2f1e30c5edc5b06d9b3fa7efd9165ebd65d8fba0e50ba8d0cd9962a1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    167B

    MD5

    f50c83727f57cf8fcc3e4fcf58866024

    SHA1

    b30e5ce42fe07a4d1b62f857df823e3991a641de

    SHA256

    d78a686c16a5524cad1a274efb953971e4997eb3dbf403ad3a7ad5c858991bfd

    SHA512

    dd72551d4cb34bbde3309c2a385a67a2a6af85e7c3c785e338553356a609f08e61db5a25108276c39c4d1e48de3c2c4cf70296a9a9c2c962d2001db01681a12a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    831c60f40ed81ec59f8ed88c91f64df9

    SHA1

    27be2d1cf06e52caf2742d637c3ca59f20e3d660

    SHA256

    b5b7742fb1ac139cd5643f73ad543daf96f91e457f9c263bea659e5597b086c1

    SHA512

    d9fc08e6765aa31fedd9f2bf9c4dfc25b01f59f97df42bcaab5916b493a34ac733fc856e6963343b95f3fcab280284080a2eb3c3b065f3c2ad34d93da868e4f5