66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe
Size

3.0MB
MD5

2320cbc6c83ad630c81bace87308ef51
SHA1

3fc27c0827bf5f948613aed1ce622fef6d810b4a
SHA256

66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0
SHA512

f4b68fa83c5d41963644f0f1b19009ac342c6ac18a7125dc9b06ffeda45581b3b9f0b22bbb85b1b6f65146dd8794608e8c1865ba89b6dc0e0c44b35e53e7af73
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8b6LNX:sxX7QnxrloE5dpUpBbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe

Executes dropped EXE 2 IoCs

pid	Process
2996	locxbod.exe
1172	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVY\\xoptisys.exe"	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax22\\dobxec.exe"	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe
1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe
1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe
1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe
2996	locxbod.exe
2996	locxbod.exe
1172	xoptisys.exe
1172	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2996	1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe	85
PID 1408 wrote to memory of 2996	1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe	85
PID 1408 wrote to memory of 2996	1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe	85
PID 1408 wrote to memory of 1172	1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe	86
PID 1408 wrote to memory of 1172	1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe	86
PID 1408 wrote to memory of 1172	1408	66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe	86

C:\Users\Admin\AppData\Local\Temp\66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe
"C:\Users\Admin\AppData\Local\Temp\66478737556fce3e317d8e526bbfe6f3c2d44802f26bfe9c979f7b7810e30eb0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\FilesVY\xoptisys.exe
  C:\FilesVY\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesVY\xoptisys.exe

Filesize
1.1MB

MD5
23910b964e32e3776d5aedf2c382ae4a

SHA1
f908332965eca7560cc315923786f016164ddc17

SHA256
50e7b8ffe3b56e8e4981b204e6e9f0a96f73b51bc5280543e7a58a5a4dad3a11

SHA512
e370687455412d3aaa2a3dea52548c606920b6404b9d409d1138469ec6ca0157cae6046bd2065248d02738b0d0aad4ba5acd480991f766d6c7840331ca62912d

Download Submit
C:\FilesVY\xoptisys.exe

Filesize
3.0MB

MD5
2a3746673f49e4db51f28371a86f6d66

SHA1
3a98a0d73c842ba4ea4742f010f5ef4745a922fc

SHA256
adc16386111b2fd8b458407a96ac6fe29ececb2ff72c10230a739d08ffac5204

SHA512
3f2ccb8f978de490dcbc3564958031d413cf421bda9229d994133a15a63c3991b1983d3967856cdf3ce130044dd623f6b2440f7580697b8c2e2dbf5b7859baf6

Download Submit
C:\Galax22\dobxec.exe

Filesize
3.0MB

MD5
75d1d6a889c067514db76896c1c9f0bb

SHA1
b304b1a80c33208c078437a86001041fddde2e14

SHA256
96a369e9e24ddcfacb063234d5bb72f011ab5209a3e055ec8d120176e4e5d84b

SHA512
93be494812843622e98b85ca613558a11525aa3dd5944adb86c012bd91dc47e184dca332d93b6aa732e1ecb1666f8bef025572ad5861bafaeb94f99cb96807de

Download Submit
C:\Galax22\dobxec.exe

Filesize
3.0MB

MD5
ee332a6d62beef876e71bae554aef1a5

SHA1
e493c547327c75e87fca634311f2deae9997d3a3

SHA256
51d23affa7f2d38cb8ed184f2097514c10751e6fc22aba5c90257bf4c783c473

SHA512
2f7ee9bf7942f59bceacd3e4c1e27a0d64a12272f353e41ff4cd1db87e758317808dab1bcd08c5f4cc0d43bec64138cb827b44bd9fb87c5c7a55eaaf60feb30a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
1bc9ab138d0dadad81d83ebc92105c29

SHA1
2028724a49e402e1907512b7e1d1db890da0a3ac

SHA256
dca043b9e6fa1f1aaade577d988f59fb5d7edd12a218e3d4144c0893b8746183

SHA512
95ab9070745afebb1f6b6b6440bc43fd304845ff9ffe64800e3e58509bbed8a31209171e648b27f5a9505d7faa87ad315bb4bf3c0de750eb70c5e829bbe32373

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
ce5e5f3cd4494b72dc7fa9f5d2fa6677

SHA1
d15fd076ed73673aec4419afbe82d52ad7174c51

SHA256
10b439173e55b4f30c052f47ef01eb6b27a4ed475afcae8ba188aafab3dd9ddf

SHA512
7436ac7d409b99b9ad6b791a4d9ee68f7317567fdbadbd279c205828e3cc187364797276b2a79744239f50008c55670d5c088afa13d40f51153a2bc87d59217e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.0MB

MD5
445aa4f4a5b234438123ffe179fbcc00

SHA1
586be2becc227981cba37811635d61114cc61286

SHA256
1a92258c8d62db2b604c2630191d9c3e3dce5baccc8c19629e5e583f7417fefc

SHA512
ef789003abf28e9577984166ca951773bf55eb52937c3f8b1290196bec0c129c4aee10fd1e1f8e250fdc6246a67ce43ac286354a3ead8492a4a0ea6b0669d972

Download Submit