fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
Size

4.1MB
MD5

da530171e74c008ced3f9191086d2cd0
SHA1

05d77b59ca883b526b617eeb51d952e90a09f2dc
SHA256

fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01
SHA512

aaf8ac9bef007f0e527ba170555428d6205aa431f68c3f7af97109f7192837cbba5bc12f0454d303199baff7ce2aad7743ba8624d9849ddf7f7037d3514ccbcd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe

Executes dropped EXE 2 IoCs

pid	Process
4936	locxopti.exe
2428	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGO\\adobec.exe"	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax30\\optiaec.exe"	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe
4936	locxopti.exe
4936	locxopti.exe
2428	adobec.exe
2428	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4936	4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	88
PID 4624 wrote to memory of 4936	4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	88
PID 4624 wrote to memory of 4936	4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	88
PID 4624 wrote to memory of 2428	4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	89
PID 4624 wrote to memory of 2428	4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	89
PID 4624 wrote to memory of 2428	4624	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	89

C:\Users\Admin\AppData\Local\Temp\fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
"C:\Users\Admin\AppData\Local\Temp\fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\UserDotGO\adobec.exe
  C:\UserDotGO\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax30\optiaec.exe

Filesize
695KB

MD5
66eabd89b1dc72d649ae758202e450a3

SHA1
7ad3becea5c4f787c020058044e522fe4ecae947

SHA256
b8ea04d197fc5208a317b86e05ccd2b8295725f49a2e76078f3d9d8e629a5643

SHA512
9e83520050fedc86445499b5e3f10eb076b26d017ff2e2099774beb7c2f2fbee24b721e8df4d02787aeade8d52388794cd312924d458c1d66e172c83ddcdef1c

Download Submit
C:\Galax30\optiaec.exe

Filesize
3.0MB

MD5
61535c63a1755db69144ac2cdb376ab1

SHA1
ffcd37d1b8bf223a8d37d34949fac7bede4b6c94

SHA256
9d14ad3d890d15f9785d19e1561c1b31b46e8b0b50e757454f46d98dadae8a7d

SHA512
677f440b596a0f4b7f50bc35f2d50a17b0ba712eeeb8b5162190e19ecbfd1f04bcdf83963c96a7ba0ab7923237e938c5ace17f30471a85dbc67554aa63965813

Download Submit
C:\UserDotGO\adobec.exe

Filesize
3.4MB

MD5
f6849d3fd50a699101b2713e3dd663fe

SHA1
89f683bf7b0c2850f4ed1bb95002ea89063d019a

SHA256
790822b30338211ac4d15b25a239a4a5e218f824ad8bb975b26c66237e98cf2b

SHA512
88462d03a9116b10db021959d20208c9ce7c82b606fec7e441d0056d10847adf7f0a8b1419c05eb7e905da760f05882865e7bd85522ddbb03497c9259c6f2ab6

Download Submit
C:\UserDotGO\adobec.exe

Filesize
4.1MB

MD5
833940176fd51cbc9e5d4e3ace1b46b3

SHA1
2fb147cb978e2f7e9b2b2c13f36a273f28881df9

SHA256
3b0abe2cf523573321d3f894ff734f02ae21ce4a1de4df70cc72e8e5c5b0d80b

SHA512
8f3a66a249b7d1c7f3c48917b29b28c970e034c6b88ca9c29ed6c1216017a5c1bc025e5050307990bc58e5f08553ab01232a786e489d9803a061d26b045109f5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
2ca7dd5a2c537a46deb0bdedaf9f9846

SHA1
9218423de1f03b251602f777cef998bd1e967cb9

SHA256
42b59a9ea7369eebb2b26668d309f8bc286d2962a0265f4361c02624ab8ff706

SHA512
40c2df86b795613a7a1b920227c1984c3be4bfd91b448e9c2b22cdcd4ce79bf339c096aab291181fc9c8af1e814776b93d2ee36f5fe2ef6a886c76efeaa12599

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
1a96cb4851d3c6065209b1f99787e407

SHA1
b011772b695d5e3fe50d8f443af8ec8c1e5a3349

SHA256
39ef2600e8bb55ecec9a6b51ffa8781e302ab074c6ecabe65e34e8e9eba96db9

SHA512
d16db1d5dbf538ff18302ef6120139e104f6fbac8658e8f5ffd62f2faa31f1b5205f498db6fda1a48457ba02613e6a57a9c0cd23112006be8029f17413bbfac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
4.1MB

MD5
58f18ba7db47389f3d17357a7b28380f

SHA1
7d883c2c94837049580089f8077326b9bfaf3e0d

SHA256
3150c984b08fbcd4229c6a53eb45b467472ebeb33e93e92d372ad89bea0a675f

SHA512
1b3b8b98f54be86b8f295c4a2bfe249ac65955eed12e28c98e1116a21a444678167f01951d9898adf8c671eab8ca6d72963aa6f8be830bf6c3fc3804d6c04542

Download Submit