4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe

General

Target

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
Size

3.1MB
MD5

432cecdbedae53868e0630af844f1117
SHA1

447638357e4d19e379b13ab347eb08160ac35393
SHA256

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe
SHA512

123e6a83ed996e24421cadd24fc4fe9d45e8c3a0a04ed21241e6799879f36787a9d5f18cea2d8dd8b91fb829687669422a88976aaedd934c22a6b22f4d08da03
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8:sxX7QnxrloE5dpUpObVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

Executes dropped EXE 2 IoCs

Processes:

locxopti.exexoptiloc.exe

pid process

2116 locxopti.exe
2220 xoptiloc.exe

pid	process
2116	locxopti.exe
2220	xoptiloc.exe

Loads dropped DLL 2 IoCs

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

pid	process
1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeB7\\xoptiloc.exe"	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2U\\boddevloc.exe"	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exelocxopti.exexoptiloc.exe

pid	process
1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe
2116	locxopti.exe
2220	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe

description	pid	process	target process
PID 1932 wrote to memory of 2116	1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	locxopti.exe
PID 1932 wrote to memory of 2116	1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	locxopti.exe
PID 1932 wrote to memory of 2116	1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	locxopti.exe
PID 1932 wrote to memory of 2116	1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	locxopti.exe
PID 1932 wrote to memory of 2220	1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	xoptiloc.exe
PID 1932 wrote to memory of 2220	1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	xoptiloc.exe
PID 1932 wrote to memory of 2220	1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	xoptiloc.exe
PID 1932 wrote to memory of 2220	1932	4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe	xoptiloc.exe

C:\Users\Admin\AppData\Local\Temp\4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe
"C:\Users\Admin\AppData\Local\Temp\4668470d372f917d2a4d188c734f1a480b3e17d1af551c7ebee91b93ff442afe.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\AdobeB7\xoptiloc.exe
C:\AdobeB7\xoptiloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2220

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeB7\xoptiloc.exe
Filesize
3.1MB

MD5
485fbed3de35d4f53ea3aa161f10bcfa

SHA1
f63238baf842a9bc1bc00ee3e115f4e2fb2546cd

SHA256
847a707e16e1fa24d92e35b9d930934c35572d3df4f58b2a4072b5b27a2e1266

SHA512
96cc0656d3f6d67e049773e1a2935336c4596fea9570b2f43ee46adf779f1f53277aefceb22bf70566fd8b9ae015db3120c528aa9b8c8f31b1104279d1f9c26a

Download Submit
C:\LabZ2U\boddevloc.exe
Filesize
3.1MB

MD5
aa5f3b3e5d00fa54bd9dc1fc23a76c05

SHA1
4fbb1a46582d4abf3c5be9fb054b0a535bbeb623

SHA256
e5484bdecc70465ce99f6b4fa9e43d44776b8ca70c5310b34ef4f3ee5c374ab5

SHA512
155ebd0c5981fb934ccd7a7ad3011151f79c6f7df65205239c3700e8c4392497006e977dd85473a70bd6bf62b07ec2c0a18b1c88bbce80c3d644af08e171e227

Download Submit
C:\LabZ2U\boddevloc.exe
Filesize
23KB

MD5
859ebb87091eda45d4aaf0ea5e233084

SHA1
7db3583f649e3ca4a64208de312be8edeef804e4

SHA256
e5879114b6d73753c6e36f5dd28769d598180e7749714c60c98d3de4a491bbe9

SHA512
c09308ad9e9cabad916973148c7d104d499eb492568eaf5574fd9b68dee97beb2fade58e85b0be82d4c0ae18f05f7658c7b9a79adabd2c57472b2579cb7cb9c9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
172B

MD5
564b75651232f13f09569ef2c6dd4a9b

SHA1
93abef38b36e461e8dd6207d8d35eb007e6d90eb

SHA256
e7d3b7ec69b49fb84dda579da1f2cd0ad7eec994b422d68d0d0887c08c7516db

SHA512
7e8e499f1597cd89743084fa58ca637ff3d28542a3f52610d7958b8e0144bd9d249895483722f5290e8c5117d7a91416980a34b8b52ad0b7b01439798c247e5e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
204B

MD5
db7840575914229a80a27cabcf5523fb

SHA1
15882d67404e29315525c72e542f98697ff81d8e

SHA256
79448f22f1daa6f09ad0e8b8bbe2c8f7100e57c71d47c400ddd52d3ef0ffe00d

SHA512
da49d7a01e9ab0d95d16aaf4929e4bac27ef3de8da8ca796738151a74efcaf68a8f76addad462beddefcf141330866abc8d6832fc045c64e2467b133a11a5d9f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
Filesize
3.1MB

MD5
ad3214f7bb1a991d4e5d0aa8b75659ab

SHA1
706a527d4b2e30b790f6b1210c95cc19134d78b3

SHA256
b8ff678ff22d0269694e70c998b4064af8e0828d95dedc7266f0da778a9a3f45

SHA512
1a089b74bb907bf61e9484a48ef2e7c4d360af7056680e342e121fb0b2727ed8a594f3ad5a8f9af0e57736f83b768dcd34b6f680fa2736457bfb8a8a53e04da1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads