570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 22:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe
Size

3.1MB
MD5

1c58d557f64cca11e9b13a362a895bc6
SHA1

8e8d84f395046a928b951fcdff61c8a3476221e8
SHA256

570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83
SHA512

8e7941b0ac97ab47b371d4eed63273c893ee33ed3735bfbbac6b627a53738d145074d704aa97432a07c344aebfc444461871d8df930c353d254599b59e7da586
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp/bVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe

Executes dropped EXE 2 IoCs

pid	Process
3468	locaopti.exe
1964	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKS\\dobxsys.exe"	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7R\\xbodec.exe"	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe
1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe
1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe
1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe
3468	locaopti.exe
3468	locaopti.exe
1964	xbodec.exe
1964	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 3468	1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe	89
PID 1704 wrote to memory of 3468	1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe	89
PID 1704 wrote to memory of 3468	1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe	89
PID 1704 wrote to memory of 1964	1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe	90
PID 1704 wrote to memory of 1964	1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe	90
PID 1704 wrote to memory of 1964	1704	570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe	90

C:\Users\Admin\AppData\Local\Temp\570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe
"C:\Users\Admin\AppData\Local\Temp\570e362ecfb9319eb2074f0bae1060c83d87e056050b42a98b19d33d0d56ac83.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- C:\Intelproc7R\xbodec.exe
  C:\Intelproc7R\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxKS\dobxsys.exe

Filesize
3.1MB

MD5
6f03591e38b1ed8ff288b315450d0d84

SHA1
6fa241234b18212864815c8ef5da1b556baf80b7

SHA256
0f63d012f5663e82212ef4471bf15c05f7f52c0bffb65f624504e4599f6b2f5e

SHA512
f40ed34e24b29d0036ea43014e6bf1b80c34c0676a7a25b6ff9d6f9cb89e9ff5e2ae2581d56353827f166f1bc4eb9b37ecbd3e9c2aa62a548ae62c6222029b42

Download Submit
C:\GalaxKS\dobxsys.exe

Filesize
3.1MB

MD5
024b23c571250cea8050f7cd4527b650

SHA1
a855e4b129bf5d36a21bb94be81c20d5bfe84431

SHA256
64eccd8857a90febd92258953eaae42355043696737f1be5016589352a8ea2e9

SHA512
a27098c0bf4c1938e58bbc5af1421baa292092fc6e2518ad21a2e4e4fda4654f8e0738e3eb4c7fd2372f8243a10421dcea40e88441298bf1e108f63051944efe

Download Submit
C:\Intelproc7R\xbodec.exe

Filesize
3.1MB

MD5
15a081c3a6e5dc2c7075cf734dc95f02

SHA1
a780ec8692a16a823eef31d8bb21a1e81077297c

SHA256
de0a5076197fe21f3d01317c76d2587661e3cff94781ed05878bde39f909cdd1

SHA512
a1b02301fc77b3a0bee3327f43cc0daa2984dfeddbc58d82ffe633dbf01fa3ca91aa864abe3e1155b76ad0f357c7a77a4ca0b0c0caef7b12f63d3150970eb422

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
4c80523ed205aa4514cb07d39c2e4c35

SHA1
d17487606855b7d254da3fed69c70d5b512c8115

SHA256
b752533195a4bf43afb156c96b3f0a4d163bb287464eb45cdd1dcf6317407682

SHA512
2e50c7172f87e32e829058bfe9df05b51188bcdbdd872abc6fd5b129a81911813462a860e054f85731301e0c6445ad344cef133723b09f2b96aae740305ef378

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
96384da4eefb8a679859d1d4a1703d6c

SHA1
1f503cedb6f6a51272824158faca9918271126d5

SHA256
2a9f7a994a0e2973e87548935282365eb31ef3cb45af6ea8399b727888a44fa3

SHA512
ec658f62da52debeb8ad86f17b35efe16b7c43c6121534e32f32630f7f049a8103f3ceefa11c4257e23beca862c58646fffaf142a92a5581c782ff9d1302cede

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.1MB

MD5
67be69ede16d2b940a71f552363efcd4

SHA1
951481be649dd356d798b579004f646ce1cc5925

SHA256
adefb9d9162eb32fa7f80cb4446e978f896f85c31dad668684aa85939b66844a

SHA512
9243add6ef30c96d246578cfaa105eff55d0cbb8f47a2877f1d73f3ba9e0872f16a99feaeafc0eeaaada92638ccc9d441072afdfbb43ef1906a67dbddb2075b7

Download Submit