ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
Size

4.0MB
MD5

adb7728d4c7b219bbf52849f484db9be
SHA1

7ffa2ec0c08588a1c919b4350be908b9253c8342
SHA256

ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce
SHA512

8325ebc7d2504e1e663f7c3ab4fd5fb1859ad69a7ab53a6017861f1acceef4b3022236e753872a8ddc30fa8308e293ee634a1eea5593ff50b2031a482722669b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe

Executes dropped EXE 2 IoCs

pid	Process
2316	locaopti.exe
4260	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2N\\xbodloc.exe"	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxLZ\\optixsys.exe"	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe
2316	locaopti.exe
2316	locaopti.exe
4260	xbodloc.exe
4260	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2316	1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	97
PID 1724 wrote to memory of 2316	1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	97
PID 1724 wrote to memory of 2316	1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	97
PID 1724 wrote to memory of 4260	1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	100
PID 1724 wrote to memory of 4260	1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	100
PID 1724 wrote to memory of 4260	1724	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	100

C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
"C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\SysDrv2N\xbodloc.exe
  C:\SysDrv2N\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4280,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:8
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxLZ\optixsys.exe

Filesize
4.0MB

MD5
1e77c26dd1ae48a08a03bbbea322e3bd

SHA1
1f192bc3a04d6c4e41e2a957790a4ef0845bfedd

SHA256
4a088f65dcb5af88e0c2af411c0ae783a770da00b930f576f2bb093b42377b01

SHA512
880b622ed0bef7a9aa6efad54fd44757648b36cf476147976411e43e832353bb1391691caa71f167444a975ee7496273b9a942c32674f296131ff422ee3f878e

Download Submit
C:\GalaxLZ\optixsys.exe

Filesize
4.0MB

MD5
40870c345cf6efc5360dce7dedb3105c

SHA1
f96463bd75481933082c015968e39abe8a6db18b

SHA256
1e986aad709d062c9c30d2cc7a0ea14cc1ae988c449275fd489507a6f0ff0643

SHA512
1397f94b02327db0e910ce49a4655f5cc10317a8063082eaa6fa86ecee7ad2712aeb8ad34541a02f4b8c83509b5af5266457eeff14e2efead5ed79a179d7d508

Download Submit
C:\SysDrv2N\xbodloc.exe

Filesize
4.0MB

MD5
8a0816733f116370dabc116f84e3dffd

SHA1
cfca22a1d90209020f244ce30f5cbfea850db7e6

SHA256
880710a2b4b0e77b8957d2bd92dd664814e41330430694533a50697b1b69066c

SHA512
708fe47778ad09c18dd2fd20fdb3418e493d935f20395d37e356e354191188d4ad4803a6d5ebd947e1fa15543ab049e85c29f51ceb623f0c01efa83d58d8c026

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
4383984d7756b866f8bc6aa08b99eb97

SHA1
0eb3ce7feb5132643e5883f9ee622f9002b3fdde

SHA256
d452cb74c32a843fda1934f35224a2b77fce01daf50eceb6e9351b9c0d56e849

SHA512
3c55328f52abf364140ab203face1bf08602f1e9371836cd7e89c970e7a0531ed201e09428b6f849259c346393b8e39aa3b759f621d25c48999e045e46f35be8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
8f0694a2eac04dfacb046b6b0443d670

SHA1
8d667e06239c567aa4529314a828d69716732e6d

SHA256
4879a02caff82d57fd79503c4c80c35d777d05b58d2d137af401622c63d58eab

SHA512
247a61117067a3a5d724c122765d666e313621f6bae052d6a5e045639d4f78786a6bac1008e2abdc030a54a38b851339b0146fd07f10a182f3ec768994e46707

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
4.0MB

MD5
305294c259649795d057cc374e7c728a

SHA1
f17809de26bb9383909ff5f3d6ae2f7371e78c28

SHA256
2d17b24772f9faf88fea220dbb27d9ff71dca2360966dd0ec27248c4f76995e2

SHA512
de6258f1f64ee555aab9faef836557421738ea9d658628a306ac3d90ee5c0501cf92876585f7e5653bf6e2641c2177043a47bfd256a23265e67c8287feae7403

Download Submit