Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
Resource
win10v2004-20241007-en
General
-
Target
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
-
Size
3.6MB
-
MD5
d4c7e99f9fa1071f60f5e8be949a6554
-
SHA1
dc7efdfc80aeab13dcfe9052135bd22757defe00
-
SHA256
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602
-
SHA512
1f97cc9c34763dec1b0d7d21873d14e5d561e747f2f2c82ba6bc7eb48e29f3ad2aae88c3c8fc674440fc06c902d64260b815f1bf12eb335d87a794a5574846c1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNXJqI20tK:sxX7QnxrloE5dpUpNbVz8eLFczp
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe -
Executes dropped EXE 2 IoCs
pid Process 2244 locxopti.exe 2156 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBX\\adobloc.exe" bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPN\\dobxsys.exe" bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe 2244 locxopti.exe 2156 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2244 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 31 PID 2236 wrote to memory of 2244 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 31 PID 2236 wrote to memory of 2244 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 31 PID 2236 wrote to memory of 2244 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 31 PID 2236 wrote to memory of 2156 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 32 PID 2236 wrote to memory of 2156 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 32 PID 2236 wrote to memory of 2156 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 32 PID 2236 wrote to memory of 2156 2236 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe"C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2244
-
-
C:\IntelprocBX\adobloc.exeC:\IntelprocBX\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5bdd5159659c3553b63b02402def48e62
SHA11652159d53a2a0536354ad663a5749a00bf3f773
SHA256f9f3ae7544816c27d297838da0cc5771eca1e5e6aeb1977deb76c0a16753b39e
SHA512d0f79ef3392ffc3d0164653656bf3ed43bad28a7a5cd0603681cdf933e3b3621f2b54ab929733240a4faa41e82c5772760d52b3b41690ee6a711a9cb73a09dea
-
Filesize
3.3MB
MD5a159bbdc930c70b159452e1bbfa22f9f
SHA1b1161997c3c5ddf9fe1e4b01aa112df317d6ba75
SHA256af7e7a3a6538b0ec5871eb43d412f6cfee0f7d39776891ab24d3fbe18f88312e
SHA512d469ee4983500f03e0199c0fbc3b6ebaad5b8ee518a14eeceae0cdb2c2bcffc74e54937f05e7b7fffb48afc7b8ff924c45282877261e98bee84eb6496e9c7a83
-
Filesize
3.6MB
MD5d6be2cb3ef854fa57410fcf395c19da0
SHA12929e6dbe8e957759549d4ce37620ca7ba22f3f9
SHA2560b46b81360203f4735aee07d025e74eda04f4e1ebea12741d4cecfe6e8390a9e
SHA512b3e97823f1c3e0724b3e427cfcb4adf98674c5f352b2781b06a5a34604978901e92b797c7ccfe69e10820565f56fd1b31e48889c1d53e8c5bbb276400fd7c641
-
Filesize
173B
MD57db9c0ab0f642e3e8a79a63731f0ad7a
SHA13d8f606fe5ea9ccf85e9dc873cfa9674adc72858
SHA256199700680c8b2ef7fefab12872c17a08d792b4876eb730b6d142073126b8eeac
SHA5125ec18a7d97687b51900c9cbb5ee927a4011230d9c04809c3d09a935b31191e13d80f4926754bd678b997b1e8636857ffa8cfce56b4564b447eb9d6b204b724ab
-
Filesize
205B
MD5e5fbd02c3fea7ad97c4ed2cdcd6da036
SHA1d5aa9ff1295583ff1fbe64372ee27e17683fc5a9
SHA2564a4e45f7bc5ac2e85f0e4cf0dc39003042820e678213d0068e9bcb49a2aab2de
SHA512dd5883790f80720daab999ad752449f1264a2f66185c07e66339093e5e6350f3c1da624cfbee27547b602a2573436129e7d17e453a9c88f1923fa17ebe91f660
-
Filesize
3.6MB
MD5e17c37fbb7f98d4fef081bbb16aec72d
SHA1dd36b8db73b31c3a98e5de85bd46b7595f5c0b09
SHA256ce3f264497596ea15a0f76f8a3bfdd78efaf06c2d3226ca16414cacceed3688b
SHA512125da137e3af5c03cc37193c959683d5825c41f57bc74c27d2e8116bb01275ee39000c22524f688aba4fab072a405d72fd513a70a10610d9d875de13a177536c