7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
Size

2.7MB
MD5

34f1cf40e5092db56f1c4563766da5ac
SHA1

0759ea0b3ab441f9dbad7c59d7f0f58a32f38fd6
SHA256

7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342
SHA512

18da13735c3c978aece4555dc49e62a09a5be2ecef665943ffb76b47d1a0251a37c5815a88a278c30fd9617aa413fdc891600aa79269dfa84d49830b5997417a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSq:sxX7QnxrloE5dpUp1bV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe

Executes dropped EXE 2 IoCs

pid	Process
3412	locxbod.exe
4828	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQQ\\xoptiloc.exe"	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRO\\dobdevsys.exe"	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe
3412	locxbod.exe
3412	locxbod.exe
4828	xoptiloc.exe
4828	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 3412	1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	87
PID 1336 wrote to memory of 3412	1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	87
PID 1336 wrote to memory of 3412	1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	87
PID 1336 wrote to memory of 4828	1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	88
PID 1336 wrote to memory of 4828	1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	88
PID 1336 wrote to memory of 4828	1336	7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe	88

C:\Users\Admin\AppData\Local\Temp\7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe
"C:\Users\Admin\AppData\Local\Temp\7f3fdb14cacac7a8c573365aa63f0dc7af504bf18ffdb264c98c2ccafcc86342.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3412
- C:\FilesQQ\xoptiloc.exe
  C:\FilesQQ\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesQQ\xoptiloc.exe

Filesize
1.5MB

MD5
d7a5ca07b31e540fd5746886c4b05a97

SHA1
112cd0ca6dfc265b7cf9a4c6baf99aec241835f5

SHA256
530c291b1130d0b6c8395110a4f887ce7a7a4d297ef99c0e70f73bae4b3d193c

SHA512
898cd0bf3d57378f5cfb466502c5a2b049ab1483f070844a685978c907912a3ac60cdc7f88a6aab7ad307acdbbf629f4c4e70e3d951e108880f6bdb018b8561d

Download Submit
C:\FilesQQ\xoptiloc.exe

Filesize
2.7MB

MD5
28bfeb952a32d1a5a54c1bb51598ca9e

SHA1
93fcf9e840da9ff0f16be9749983fc22191d57d9

SHA256
00b0ca2c2bffb3cb6ae98d5673131cae81503beae63bf9dfcf43bb5faba3353e

SHA512
ce8cd9a7a842c59b94368e7189147585cdbf01e672b7a52c60d930eeab145d2df66ef3e13a86612537d888ca028492b6969c5019436d3a4eae3a236639d5f13d

Download Submit
C:\GalaxRO\dobdevsys.exe

Filesize
2.7MB

MD5
6ceaa65daa30b9730319e4285731d0cb

SHA1
772aa4d7aeaa9d513d3d68d22380cd0f74f0700d

SHA256
3906740d6c5771393ac2ca28a1d9122089cafb4da2473d806c863b3f99a92cd0

SHA512
75d5291a0ab853dab469dd04a6d41bf80cecb771fc5093f1cde9c2a6d37df68baa1c8b426e136c294cdabaf368c68dabd1464749d1fd072eda81243564aef477

Download Submit
C:\GalaxRO\dobdevsys.exe

Filesize
2.7MB

MD5
b4f4626bd84412e52dd087609bb08349

SHA1
eec612fcc9cad2349f38f469ca9f7e3b8057e7e1

SHA256
c2bc9b809cfcd350d58f3b2ed88cd5915b16527379f9d9591b60160a783c64ac

SHA512
8637c30636385464135c091584f17174bfdb7ae3207fa8756cd5f25bd1c109dd5e1be7fab7633847cade005f8d3fb6d19d50202184a5dd279c86c8c6b27a38ac

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
2e99d81a48596376e4fcd3dc619dab70

SHA1
afb07ec62d07c0c40249ed23c86e0a0089df54c2

SHA256
9633c5eb7e1dd6388e6ca3248b9073a9166d17d0ac915e97301ef7e4d7966ea0

SHA512
1a9763644ae4d5a8c98fdf0b056d207b24870259ebc8df8537e72535978318baebab19c2b77a0b16cd58c7d560f0e12ab8f7cc5808dc5d4131d9640a8c0a0343

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
432b435cb471fa44b5bf3a99869a8a92

SHA1
989f4d33c309cc9625c91c480f2225d14cdf8c15

SHA256
49e5feeb69d82e123dda49ea56e2c1dba9d2b574af4ee7662677817f8c562e91

SHA512
c52ea91f248c9c19b36975f32eda46af6a22fe29e1e9d049b8c3bf9fa131db8069ea58f8cfdeb0ec57d495fd7fde77d2339bca024a00394aeaf81a46387818f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.7MB

MD5
e5e36c5015c6bed69a9b6a4279fdeee3

SHA1
eae33ff888c9d52690dd8759badafce04406fbfe

SHA256
42a5bfa7e7008036b3d0955d545eb552ac1d4ffe6827ce4d685a93cf6b4cf4bb

SHA512
df53901abb7f557daf0c00791edc811b89392844bb113bff3a8a0ee9da3e916183684d6331265a1223953fd51098a6e2f0f74c4793c2198af8a5a0a23f5c22b5

Download Submit