c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
Size

2.6MB
MD5

a013d3646ec49c2bbe5a80b79f92a757
SHA1

57920795b5684ebcf7120fd419f3e15fa545213c
SHA256

c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d
SHA512

67781659dae4885724aeac07c44ab1e10f0e78e6378867b7dadddc59601c23395ba62eaed21d273b7a3c13fa21fbebabdc91e3c58c40e8faf2cf154d323e3146
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUpNb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe

Executes dropped EXE 2 IoCs

pid	Process
1964	ecdevopti.exe
4476	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJX\\xoptiloc.exe"	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJB\\dobaloc.exe"	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe
1964	ecdevopti.exe
1964	ecdevopti.exe
4476	xoptiloc.exe
4476	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1964	4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	87
PID 4892 wrote to memory of 1964	4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	87
PID 4892 wrote to memory of 1964	4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	87
PID 4892 wrote to memory of 4476	4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	88
PID 4892 wrote to memory of 4476	4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	88
PID 4892 wrote to memory of 4476	4892	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	88

C:\Users\Admin\AppData\Local\Temp\c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
"C:\Users\Admin\AppData\Local\Temp\c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\FilesJX\xoptiloc.exe
  C:\FilesJX\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJX\xoptiloc.exe

Filesize
49KB

MD5
5139b167ad5088bb5e3cb3f439674ade

SHA1
f6929b7f22e30f06b3e4175e265e5d355d5d7e8a

SHA256
95f84b75e91ebc70e17a2183993fd1c1f0607e1c1f2095432283ced08338b05d

SHA512
3f566c19f63a417f8e29104ad4f9e08acc4f706160c049eabde3a7274be328615d3ec266040e90c9bee8e28a498a05c430907c81eb2d44e018a3cbff1d1a4383

Download Submit
C:\FilesJX\xoptiloc.exe

Filesize
2.6MB

MD5
50786ad7ab1effafa28b35ef857cdb1a

SHA1
706ab47266501462504012ae2a3297240abac2a8

SHA256
7314cd10feb04073a06c95c42bdf618a0afd7ebbbd87665c9eeb3a6794240edb

SHA512
5d3a65bdfcfddfb7a2a793a03fa184e4cae677eb3edc8d74fd3c36561d50a2e3fd6cd68e79beba5434fa6553f3a1937df9b1038110dfbe57f0823aa49b87a6f9

Download Submit
C:\LabZJB\dobaloc.exe

Filesize
1KB

MD5
81306907a8898717e74eee7fe3ec9748

SHA1
6871f1f920d712de6120473f387e1497841b3829

SHA256
1b17bb743b1a2dfc12895dffa0a7b9b5daf090d66b71008fe29879bad1786322

SHA512
205b7de43c582a32ad49cb599becf76511d0269af1df1adea82987826d020f7e62e8b53e8f82da5c2f44154cdac459eaa4fb29ea6b720b0cf9d5e5148fb62730

Download Submit
C:\LabZJB\dobaloc.exe

Filesize
2.6MB

MD5
e18dbdbcf70fdee12e24dd2c4ce7c924

SHA1
ab12338d8037e63797a9281d10fd55ac9ff9a4ab

SHA256
67788fa51c1edb47eef823d23c41da4636682984b714fd2b81b950a045b92fa9

SHA512
01b7d9c733b3f4da422f43ad2bc9a7e8ba0e2705037663c8b41f05dc2b6afd735939a4332bc2c4f26b795e31ee323e96a6faa9a6c45867f2e890f8648465b167

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
362d2515187ba3f14a8dd29779594034

SHA1
fad32a316a4c092cb39bc87d398ade2f5b0ea59b

SHA256
ae99103681a89d04cf1f38a07554eb952c81bd92369429a8d59073e107a60b24

SHA512
40633b0737e9be57a2284756bee0cbc49f869f83e427fedb83d316d5a3389467f46a16788e18430c8fcc844108f9d915393f8cafe419da546045606c87469e44

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
6bd983e1f18e0a6ed6d3c7f00ca36016

SHA1
e8a163110f140cfb1b58c06a0166e7e9d47e37bd

SHA256
e1cdce6943c714eaf513e4154d2dd9aa0c2e57fbf5c16471178fa76222918acb

SHA512
c73eea4d82943f1e03870fce7987d8d0c74a81a9cbe5846c3bbf6f3acf93be1f9c35c5f2cea077b279375f4e12507e9e750f0b266e354469ecab0dc5db0f3362

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
e75f907d27c8a3106b42b5f6ab2c9c23

SHA1
d10f9721e66f6599dbfeee80b2ee95b9a513fbcd

SHA256
4c990d0dec413a06f69cb9c5dd761d30e1ce15c8ab4df09ec42c88b8e849ad13

SHA512
8f13af579ce75eec896d21ebe95c05d9550416c35f0da0f7a77b7f5fadf1dc2102683652cad5e9f5d58617a6ee5e2daf6d35bc06e5d704d19e406108feaa680f

Download Submit