f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 08:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
Size

3.9MB
MD5

bd9d4a797a07d88b048aed6a4762e21a
SHA1

58c1b944fb8070862b40c4c0885a11c36ec89466
SHA256

f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da
SHA512

6735be72b2584d4c34bf4ea922a9acfa8dc992724b20f1332d8a465306d876bff49abe574e572f172671d8c0bcc1aef08eb58e9dd3ebf1e54c1566a062c0ee7f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpebVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe

Executes dropped EXE 2 IoCs

pid	Process
4696	locaopti.exe
4104	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6K\\xbodloc.exe"	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBID\\optiasys.exe"	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe
4696	locaopti.exe
4696	locaopti.exe
4104	xbodloc.exe
4104	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 4696	860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	86
PID 860 wrote to memory of 4696	860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	86
PID 860 wrote to memory of 4696	860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	86
PID 860 wrote to memory of 4104	860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	87
PID 860 wrote to memory of 4104	860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	87
PID 860 wrote to memory of 4104	860	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	87

C:\Users\Admin\AppData\Local\Temp\f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
"C:\Users\Admin\AppData\Local\Temp\f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Intelproc6K\xbodloc.exe
  C:\Intelproc6K\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc6K\xbodloc.exe

Filesize
108KB

MD5
5ed6bef8a0080240eeba7b14e886debf

SHA1
1b9e9846a3ef0b9e84ffc6d80602c229be84c4cd

SHA256
a7e0eb0bf40f8b394a022fba000de45c3a661e6e96f815201be42c7225cbb24c

SHA512
81c26c67fe0a09a00433287e46bcfd2b115988732595318ccead05b079ead86e6f8d6bf7cad64fa9d451b90bb77ed56b613f1ed2e712a59a493bdf1e180fbfd7

Download Submit
C:\Intelproc6K\xbodloc.exe

Filesize
3.9MB

MD5
57933d6caba41c39d592c142a76ed515

SHA1
c4952b828aba064e43d6bacaa00c6ff018544691

SHA256
5b17e68aadbcaf191b8425632578bb64678405b4779781297f00172272b5d546

SHA512
0c0a18aea477627d4fe571b9d2c3be343a872492670ef4056f0730b9113d46b24aead8e04b03a2aa416c9287d028f358b0c57f8344cb6c3c076f1a0c3d6c89dc

Download Submit
C:\KaVBID\optiasys.exe

Filesize
559KB

MD5
6d2f525f40b2ef5f93fe5c39758a7496

SHA1
6409171b7189bc4885b53b18a5f2a41b7266a833

SHA256
9267371852738fefde9b25918348578dc4760171b9e16828aed0ee700cae8dbf

SHA512
efd86178fe8f6243498f1ee6972e474c2b3d4151e5793f226d9276cdee098812ea2f36de5b2a5cac27d7bebf60e627843eeb1e0beafeac78029c3a4c9c137328

Download Submit
C:\KaVBID\optiasys.exe

Filesize
3.9MB

MD5
a581fd04e9e993bf18eda89549f13ae8

SHA1
ba3d40bcddcefc5e3e83083f0f835a0fcc531ae9

SHA256
202d3e35fa30f594ad85516d5fc130e2e3b4bfee805f2a41ae1f2ae8aeb0033c

SHA512
adb4cda8c4f09193d71455ca51c0f0dae96c6ede688481db67e33d5d1632db0afc1e8349260dc6ed421b7478e5e047676548e0f9c2d31ef8acfd64c5ceeb3139

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
2fafae95e063896987aa14b86e590f06

SHA1
17ca91ba6b846db6ad3b1cbfda7b2484c2f100e8

SHA256
2569536841e30bb4ea8630cc891a3feaf74ea184499f00158784dc1d2ecc6872

SHA512
8a53d976fedfb1812dcde08a1226850b4be345f452940ddb1e2d364a0d95de4fbe58030ef6040d3da74cddceb1da6d5e78718853b0afe100766fc10c23e5b174

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
64bd30574e8847b96e5421160e50713c

SHA1
9dee3199dba8ef2b4b57609c582b2e9c953babe2

SHA256
8cb9849e602a603c0130e1b9cccddec16705dc8306ceaf241a548601ceb32704

SHA512
e4d07ab8b7670d640b7be7dae1b882f3e019898383e2a70b6297000792c48d425c24829950128def1b02d78b39c08f2ff0aea1ca6e24d50982bc7590873dfbd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.9MB

MD5
b2b37435caabe67b7e705dff15735500

SHA1
15048c97477e35828c3ef49533ee5a3e2e09032d

SHA256
82581a0bcaac2da7e323c41478062714978e43c1eaa84255288ae957c0656b70

SHA512
4c1a1e9af01e7f30187791e5b1ad9a745ac646326044b50685aeb317e360a3a115ec124a3942c629c8893f1f6316339663d8842a9140de2c48aed245d85e43ca

Download Submit