49a304d68501b3ecc375f09909ae0f409e44825caf22927182a607d68adced06

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb88aaf25690e97bb6dad8fff86e3d00N.exe
Size

2.6MB
MD5

bb88aaf25690e97bb6dad8fff86e3d00
SHA1

019c186c2999ace1395078db7ae6ec3d45d18b37
SHA256

49a304d68501b3ecc375f09909ae0f409e44825caf22927182a607d68adced06
SHA512

ac2dc5e54b900640d35c15c6c1a2cff12183174fe8e616069b0c6b4b14ebe2814a3baad6041c8625b6275c0890e71685e96396862d1f0d524a85228f89543069
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUpXb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	bb88aaf25690e97bb6dad8fff86e3d00N.exe

Executes dropped EXE 2 IoCs

pid	Process
1036	locxopti.exe
3364	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocS7\\xbodloc.exe"	bb88aaf25690e97bb6dad8fff86e3d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidKC\\optixsys.exe"	bb88aaf25690e97bb6dad8fff86e3d00N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe
3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe
3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe
3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe
1036	locxopti.exe
1036	locxopti.exe
3364	xbodloc.exe
3364	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1036	3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe	87
PID 3120 wrote to memory of 1036	3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe	87
PID 3120 wrote to memory of 1036	3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe	87
PID 3120 wrote to memory of 3364	3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe	88
PID 3120 wrote to memory of 3364	3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe	88
PID 3120 wrote to memory of 3364	3120	bb88aaf25690e97bb6dad8fff86e3d00N.exe	88

C:\Users\Admin\AppData\Local\Temp\bb88aaf25690e97bb6dad8fff86e3d00N.exe
"C:\Users\Admin\AppData\Local\Temp\bb88aaf25690e97bb6dad8fff86e3d00N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\IntelprocS7\xbodloc.exe
  C:\IntelprocS7\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocS7\xbodloc.exe

Filesize
2.6MB

MD5
e58733b94c3982dfd273b4c21fbbde28

SHA1
5a514aed08b50fa87f667eb1cdda3e1e2b9d89be

SHA256
bd0ef00711cfae5deedc05787be3942ec92f46b0f673cc94bfb4907bdcc6af1a

SHA512
eef082f1a617b71f6be687f01f2329ebdd7408ad12403d230bc22459d93467635cd5740af5222869037b5990bfbfe7047d3d2c4fa354ce7520d9ddf74bc25091

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
5ab7182ff4f2e4d5166fa1c84cc8a024

SHA1
8d324cfe245d18ce4760ef56749152a662a0193f

SHA256
6d54975eb205dcdde5724e979cc5010cd4f532f56094110014b93cf1cb8fc8ce

SHA512
21afb71259115ebcabfe0aff81397023bbc447404c53d950bd5a03e912fc769f50b048131dd40a16fc88d6f76b4bf6063a835cc29b65b4ff18eaf8d2be540c35

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
4c02c3173ac411f2a4322a03660dd4a9

SHA1
52f2b75e1c83ccfb10ec333f0c9d619258f1075e

SHA256
2a96087a8dedb168c0a9731341f3d1ec5fed5615b20ee44061637971c1144251

SHA512
19080af3bc7207df68149e2f67221d29cfebdacb7a77dcdb1668009a2e6c8582cc43d9c694e0a1cea9292c93c41dfdde3c693c06a447e7dc9d8d7e76b06bdaa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
c35036d8ebc53ca71c8b5da555d1122f

SHA1
7e3b60144cb941637c8fe64031f6f4a784b9a12d

SHA256
681628445cd9f54342ca1eb99addfaaaf77dd69cc04e7a5db7e55b3bb82014d6

SHA512
76016a4b204b658fc9066367566353a384b056bc224f75fe33fce15f77be62b9a6192f982195767cf756ba7f2f18c44e18dbc693076b78edb67da55b9d5b13ba

Download Submit
C:\VidKC\optixsys.exe

Filesize
2.5MB

MD5
df447902bb8feb531cdadbb398cfc847

SHA1
5ccda15cfbe6690c06ee6f54d77bc388209b8733

SHA256
6a7714f459e198a31ffcb21eb0a0010c02bfb0c72397b0c8e261d707da041a09

SHA512
6d9ed3f7455f66c993015777f0c9eb3702ff1703836f205735889b804ed14a0123e27ecabb562dbb412c081301ab07a73bf0816b1413665f2aaed905b2fa8854

Download Submit
C:\VidKC\optixsys.exe

Filesize
1.2MB

MD5
9633205f6fb606065872fa55feb79034

SHA1
9c54f73a00bb4588979196626fd55b8526a9db5b

SHA256
5e5067d38d9e7417c593d2a31629c251f9dd2d945ede02ae0d89e317a17e6246

SHA512
d0dad4a65346563ff0f753701d0dc6faeb14fbf149a433ea3a9842b23f0e193adb3f11e554af5b6b2383dac7d18bb38bef720b1a548cda8014d12b4c6d6fa516

Download Submit