4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
Size

3.0MB
MD5

2b58b1483d9593fdd4f7c349fae42c7e
SHA1

787dcd26c1583a11af44480a5b452809b91c0828
SHA256

4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0
SHA512

46d18f918afc982fc37ed092fe3f9d9504a075dba557bd896dddaaca68a1fbc628348855ad399e811fde1248b22813a69e8cd53eda4cdc35c8c4346b4bdad4a4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8:sxX7QnxrloE5dpUpsbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe

Executes dropped EXE 2 IoCs

pid	Process
1060	locabod.exe
4104	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotWP\\xoptiec.exe"	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXE\\optiaec.exe"	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe
1060	locabod.exe
1060	locabod.exe
4104	xoptiec.exe
4104	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 1060	3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	88
PID 3428 wrote to memory of 1060	3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	88
PID 3428 wrote to memory of 1060	3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	88
PID 3428 wrote to memory of 4104	3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	89
PID 3428 wrote to memory of 4104	3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	89
PID 3428 wrote to memory of 4104	3428	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	89

C:\Users\Admin\AppData\Local\Temp\4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
"C:\Users\Admin\AppData\Local\Temp\4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- C:\UserDotWP\xoptiec.exe
  C:\UserDotWP\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintXE\optiaec.exe

Filesize
3.0MB

MD5
0ccf934d9d15a87a82ed3bc2815bd514

SHA1
ce0763562407c8268a7ba176113878e8fccee6df

SHA256
f7e46a865dc890835b34f08f45e9e2c691acf0f6bc2bf0b631676613085700a2

SHA512
4e072d918c45ca6cc5672809b4d531872209157c7971234ae0e998d6154a95811df92b7ef49664d0a980b2c608498eb396a52a4516a5f04d40f58f5337efbd85

Download Submit
C:\MintXE\optiaec.exe

Filesize
669KB

MD5
b7b77b3d64c8b3b238281d05d2e2c167

SHA1
db862c068af63c533cf8666ab73a8f4e946c2795

SHA256
8db2eef7fccf29a9ca9977a724e0be708a048f6eaea2f5da618cdc2d511b1f17

SHA512
008bbcc1e839fd94edf7c2f88c1f1289ae9e75b02ad534faeee1883cfd6cf9b66fd48aef3cbc324f5cf1f82b4d5b1086c91541fcf832393d54c8db638fbf2841

Download Submit
C:\UserDotWP\xoptiec.exe

Filesize
3.0MB

MD5
5c1228a9f6b7ef3a76c0544b37b04399

SHA1
fad10c9948c089d2c0bf27d4b7150456612ffc40

SHA256
23ace060f1e2548cb6c859bf80e63292db66a484f32bd3e9057113d9fe4af514

SHA512
59cac8304d4e97bbbe2cfb10744db377c1c5475ec1f871aadeaca4936c2c8525edfbada5382ed2df7d5aed6a74768284aadec27e4933b0b06cbfe23d3a075c7b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
c99bbd9b6a7d08a924ddc87a4fd4fbfa

SHA1
b2f2d8f5e4c8823e1baba29bcd95b9534217d4c3

SHA256
dff027c2e7f3ab7c15aebe44c145f71a1c98699b593acfd00a8a11d9605e861d

SHA512
77d8e36a0744b70953edf33da5e2859df6d9eaca60f86ccfdadd1380f52a2d8e540566e4240dee9016195a4747962ac10a27583347a3af750172b34051f59ab5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
e7d00857766719b7471c1e48309b694a

SHA1
f0d563d0ff7976ba5c33c4c6a0d9dbc288b97e4e

SHA256
b1bc7a94a741904ed5090a82d0782ca242e78fc905337b060a250862933cf22c

SHA512
5a37a571d9b9775d6923e2fe159ed2462da42ed0118932bba88ab6b55418358ace69be568c093981795d0d4ebf7e57a4369927b6f467530f6be0cb336c8a5e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.0MB

MD5
7d48a63d48ad2ef3831e69732ef1d855

SHA1
79eef4de90ee3bd845ebe3d0317a5638c58cb0b8

SHA256
dfb3ca7d8d742cb75c8fb521e0fd9f8edd920cfe3b70e3e603ded4deddbb707a

SHA512
4a1cd161cb279dfd101a4579f2514007114f0ac84cdb167537ec28633fcc18a8bcf2e2648b9175614796537b0739edb3d5dda9391990fa6bed648786395cbd30

Download Submit