43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa

Analysis

max time kernel
150s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
Size

2.7MB
MD5

c21ef40596cd09bd6fd1fa722f06cb9b
SHA1

8b6cc3fa3a069480ef9155b0976024f12739ff9d
SHA256

43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa
SHA512

af3d36871de79c67a1f730b1645eb353ed77f5b5a4a591ca8a4957f57fc861dd621021e37dfe50752d8634337afcde3b6e1f620555e7f96aaf6bed80005db262
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSp24

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotU4\\xoptiec.exe"	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxUJ\\optialoc.exe"	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4716	ipconfig.exe
2216	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
3584	xoptiec.exe
3584	xoptiec.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2988	2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe	88
PID 2280 wrote to memory of 2988	2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe	88
PID 2280 wrote to memory of 2988	2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe	88
PID 2280 wrote to memory of 3584	2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe	91
PID 2280 wrote to memory of 3584	2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe	91
PID 2280 wrote to memory of 3584	2280	43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe	91
PID 2988 wrote to memory of 1464	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	100
PID 2988 wrote to memory of 1464	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	100
PID 2988 wrote to memory of 1464	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	100
PID 2988 wrote to memory of 4180	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	102
PID 2988 wrote to memory of 4180	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	102
PID 2988 wrote to memory of 4180	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	102
PID 2988 wrote to memory of 3336	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	104
PID 2988 wrote to memory of 3336	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	104
PID 2988 wrote to memory of 3336	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	104
PID 1464 wrote to memory of 4716	1464	cmd.exe	106
PID 1464 wrote to memory of 4716	1464	cmd.exe	106
PID 1464 wrote to memory of 4716	1464	cmd.exe	106
PID 4180 wrote to memory of 2216	4180	cmd.exe	107
PID 4180 wrote to memory of 2216	4180	cmd.exe	107
PID 4180 wrote to memory of 2216	4180	cmd.exe	107
PID 2988 wrote to memory of 4944	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	108
PID 2988 wrote to memory of 4944	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	108
PID 2988 wrote to memory of 4944	2988	Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe	108

C:\Users\Admin\AppData\Local\Temp\43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe
"C:\Users\Admin\AppData\Local\Temp\43ab82808ff9f202ced4051f36e90570fd795f8435a17a868e898c09a34e56fa.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
  C:\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:4944
- C:\UserDotU4\xoptiec.exe
  C:\UserDotU4\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxUJ\optialoc.exe

Filesize
203KB

MD5
f1d60d99875da629e8ce6b276e54ed6f

SHA1
3b74509b4a706ed49b29e119d2320545a7185433

SHA256
5b9b6a41fbfd30f4d20916b82b68b72c3d0a865388b1c6f3850a265ac645d2db

SHA512
d6450750596d4254b3e82bb0c73877e6842bb1f8b79e428a6534c2108558e6cb6cdd42eaa75b29f8b1fcf5dc899c8b46ed4b7974e4a5c365fc6d61298a91b6fc

Download Submit
C:\GalaxUJ\optialoc.exe

Filesize
179KB

MD5
6885e40d3318a9dd6c2f35e1d03dfdcd

SHA1
83c521be0468d1a40f96b29392b70e4589dcc71c

SHA256
1107a50ebe2812e4d83983db8971f6658729688c37d06da1de2367260c2ca7c9

SHA512
e9511144de59cf307797fa9a65a72716bd67591337f427bd178bac2b5711383a6c1c2c317b759df3bf948f41b790fd856fc7e4201a4db3752b23a541ec9866d8

Download Submit
C:\UserDotU4\xoptiec.exe

Filesize
388KB

MD5
db0a51456371cd81183423d5a007a305

SHA1
e1dcb3fea24ae2cdcbddb06de3c1fd7213055fb3

SHA256
1273fe8fdb448d6ff94aa9a952579d4952913dbb97cab90fd2e82021da67ddd2

SHA512
3f1cc67429da9000f059f936f776df5b81de2c9929b6df9ca48cf13ca85e4648d40ddfad252d72aec677b1d92de4e64ca6a1977a0ad7ec4119d766400c5dae11

Download Submit
C:\UserDotU4\xoptiec.exe

Filesize
2.7MB

MD5
9fe69cdec6c19f20730725daac3515a5

SHA1
5548c3dfd5578a3fb1ea02e26aae9271b4823d6f

SHA256
769767c1760e2ad3fabe7b73472784a41b1ea9f59810869edb71c56087f02773

SHA512
d7110b5693913a9237f164d27ec276d400183e1cebfc6b1d950b93802ecca3a9319f47e6efc06e9b9a89ab4dbc4bfdcdbba2024fa2c195108ad9ec31d820bbc1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
d119d407e329b7f41ce3877009cefb3b

SHA1
2fd3ae5eb2fb2d766cdb25bde024cdb2b9084122

SHA256
afc9f75dceac78ebc76993f24259b692bb6056698fee4f04972f12e679fd2120

SHA512
29f9a73f66686fbca264a3695b0784ecff5d3bc78605ccba30bbafecf9c3e23b98a9c1af8500d29f284116e2b296c9c90f6cdf515772de0a254cd8f669f5db56

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b8c98d110ac694fc3fa064261332447c

SHA1
982e1afae2c99d92c648e162adc349f59e849d40

SHA256
3f372bcffa99affe9d93f1993adb58498cd77c021f903c6f7ae40afa27e9f87a

SHA512
2ecf601f8ff1431a0d8e6be00c10424b34a9c6c49694f2ccad9e8f782a468480ced4f1d4ed08713597798ef68cb57a03b3520f1725ae483e466758389ca51686

Download Submit
C:\Users\Admin\grubb.list

Filesize
40KB

MD5
2b0a13420bc26f5cadc17032d9b9343f

SHA1
24f8620b00f5bd8db0f03d0d637ad41f454f4eeb

SHA256
060b10eb8c256861e49729a1b9a52bde7164c9e52c77dfad4f001549191216dd

SHA512
87ba923488fdbc0ee9f53ef4312ae237583605f2feaf69cf5565dc466c09cb3155dcb55b581a5b0dfabb8ac68fe1cfbc9f9a026cee12cc2091c49e4324fb2eb2

Download Submit
C:\Users\Admin]BqqEbub]Spbnjoh]Njdsptpgu]Xjoepxt]Tubsu!Nfov]Qsphsbnt]Tubsuvq]locabod.exe

Filesize
2.7MB

MD5
8da7a1ab239183bb0dbbff3154503a59

SHA1
020c232fd4f1f7b7d2e62e7070173e5f064e4dec

SHA256
6d1098b5868f7af2e306671b20a69b94b8bb087aff3b35d83bc7a3c420d7b2b0

SHA512
859494c45cc738458ec3162b21571e273e8bb8936c95da29b87ec5b1247fde3735899eee7a5dff3c8342ffe069d869ec4fd027116cd3e5913aa29d4a794223c6

Download Submit