64ddfa4747bad726483b9dd99d16071449fdca3a4947623245d7c707dfdb7a85

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dc4be7d64ed0e95933acf70c794d390N.exe
Size

4.1MB
MD5

1dc4be7d64ed0e95933acf70c794d390
SHA1

b452bc2bed972cc44c597f19f1ad55f6a3f3ec8f
SHA256

64ddfa4747bad726483b9dd99d16071449fdca3a4947623245d7c707dfdb7a85
SHA512

e9fb88aecb4ac50e1c235265d67cd809653dda8cfd0c818d5a36fcf60287fe2b579e9ffda1dc9443a33e594f947f1a0452a293fcc0d4e0229e06f07ea2890b20
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	1dc4be7d64ed0e95933acf70c794d390N.exe

Executes dropped EXE 2 IoCs

pid	Process
3628	locxbod.exe
1428	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9Q\\xoptiec.exe"	1dc4be7d64ed0e95933acf70c794d390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4E\\bodaec.exe"	1dc4be7d64ed0e95933acf70c794d390N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4312	1dc4be7d64ed0e95933acf70c794d390N.exe
4312	1dc4be7d64ed0e95933acf70c794d390N.exe
4312	1dc4be7d64ed0e95933acf70c794d390N.exe
4312	1dc4be7d64ed0e95933acf70c794d390N.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe
3628	locxbod.exe
3628	locxbod.exe
1428	xoptiec.exe
1428	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 3628	4312	1dc4be7d64ed0e95933acf70c794d390N.exe	86
PID 4312 wrote to memory of 3628	4312	1dc4be7d64ed0e95933acf70c794d390N.exe	86
PID 4312 wrote to memory of 3628	4312	1dc4be7d64ed0e95933acf70c794d390N.exe	86
PID 4312 wrote to memory of 1428	4312	1dc4be7d64ed0e95933acf70c794d390N.exe	87
PID 4312 wrote to memory of 1428	4312	1dc4be7d64ed0e95933acf70c794d390N.exe	87
PID 4312 wrote to memory of 1428	4312	1dc4be7d64ed0e95933acf70c794d390N.exe	87

C:\Users\Admin\AppData\Local\Temp\1dc4be7d64ed0e95933acf70c794d390N.exe
"C:\Users\Admin\AppData\Local\Temp\1dc4be7d64ed0e95933acf70c794d390N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Adobe9Q\xoptiec.exe
  C:\Adobe9Q\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe9Q\xoptiec.exe

Filesize
4.1MB

MD5
8f0cbd29bd3743012bc6b305ef5cf220

SHA1
120551002c9e73a52a3012f610a54df0014af076

SHA256
afcaadaa30612f1c045a8f71a070eb1e80c2e729afd98b17b01891dc986ac694

SHA512
fc55ffe2dff1fc4f2b92463d5e83063e88a4c8488ecb41da3e6ba4d1bc4380c773dec74948355b5f23446c2877f6e0c1babdbada8869ce739027597eddafabcd

Download Submit
C:\Mint4E\bodaec.exe

Filesize
4.1MB

MD5
e50d0172ae5a2be308ec248ce9d9903d

SHA1
a07aa417188c9e3ad3364c9c58eb49292a92d0ad

SHA256
c4cacd6b8df2f261cd3532ed7cfd56727c3e82e4a302f72be0561fe17e8a734a

SHA512
59db3db5c7d31dcf517c2abd56d0f5c70f5c6fcae071b69f74574aa8ca3aae35f1e542e34c517f5cb0a4bce1fc27e7a65d86c61e2c4b71dfd8afc3ff0c6c39db

Download Submit
C:\Mint4E\bodaec.exe

Filesize
13KB

MD5
fbe3105945c809e8bf6e00f7fef8ce54

SHA1
e4b4b6a33f2126392c845abd1669f10511f5c42f

SHA256
588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d

SHA512
50cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
d4df9bff94d201ef91de24e4ae699ff3

SHA1
8d487c0aeffc53e24c8c2ee742e7d571595acaf1

SHA256
d505df219df310b23e3e2f014f59a128c5c30eb714c73387b0d5b741e5eecce2

SHA512
a1ef66ff8922bea2564d1861f520919ee99b35f0e7b696c88f65dcb9b06da037c686a0af2f1e30c5edc5b06d9b3fa7efd9165ebd65d8fba0e50ba8d0cd9962a1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
f50c83727f57cf8fcc3e4fcf58866024

SHA1
b30e5ce42fe07a4d1b62f857df823e3991a641de

SHA256
d78a686c16a5524cad1a274efb953971e4997eb3dbf403ad3a7ad5c858991bfd

SHA512
dd72551d4cb34bbde3309c2a385a67a2a6af85e7c3c785e338553356a609f08e61db5a25108276c39c4d1e48de3c2c4cf70296a9a9c2c962d2001db01681a12a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
4.1MB

MD5
285ebefb602c48509f8f2b2e3e9cd262

SHA1
9eef08fe0bab648b146c21a08b5d13f14e4161fc

SHA256
27197bcb4466a5aeaf7329ac4b85d311acbe780a949fd9fff1fa764620d48ba6

SHA512
78306395f1f4dd823d7e5903f7c0e30b07b87190f066c529ef009c334651826b4df490e34197c779007cedc64b72852b5b0b2d50f69eb948bff960e6d470e295

Download Submit