1bc6115269c55ed143c8583be0b372fd75a98b886e3dc3b959ce3393357520ec

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001fcf39241aa5b36286ca1b87605dc0N.exe
Size

3.1MB
MD5

001fcf39241aa5b36286ca1b87605dc0
SHA1

377c1c36b7b769a5188089a102335943b4e51ab8
SHA256

1bc6115269c55ed143c8583be0b372fd75a98b886e3dc3b959ce3393357520ec
SHA512

28870a82f5f9502f4627435d3d160f7ebdb0638b66a3eec0b46f1a0bcff28510c7fbc5c0d2d8e7c0abefae79d3feceb11a2d355b14ac1d4650d8f4b64a3f25df
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8:sxX7QnxrloE5dpUpjbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	001fcf39241aa5b36286ca1b87605dc0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3656	locxdob.exe
2112	xoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesY2\\xoptiec.exe"	001fcf39241aa5b36286ca1b87605dc0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCF\\dobaec.exe"	001fcf39241aa5b36286ca1b87605dc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	001fcf39241aa5b36286ca1b87605dc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	001fcf39241aa5b36286ca1b87605dc0N.exe
4224	001fcf39241aa5b36286ca1b87605dc0N.exe
4224	001fcf39241aa5b36286ca1b87605dc0N.exe
4224	001fcf39241aa5b36286ca1b87605dc0N.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe
3656	locxdob.exe
3656	locxdob.exe
2112	xoptiec.exe
2112	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3656	4224	001fcf39241aa5b36286ca1b87605dc0N.exe	89
PID 4224 wrote to memory of 3656	4224	001fcf39241aa5b36286ca1b87605dc0N.exe	89
PID 4224 wrote to memory of 3656	4224	001fcf39241aa5b36286ca1b87605dc0N.exe	89
PID 4224 wrote to memory of 2112	4224	001fcf39241aa5b36286ca1b87605dc0N.exe	90
PID 4224 wrote to memory of 2112	4224	001fcf39241aa5b36286ca1b87605dc0N.exe	90
PID 4224 wrote to memory of 2112	4224	001fcf39241aa5b36286ca1b87605dc0N.exe	90

C:\Users\Admin\AppData\Local\Temp\001fcf39241aa5b36286ca1b87605dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\001fcf39241aa5b36286ca1b87605dc0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\FilesY2\xoptiec.exe
  C:\FilesY2\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesY2\xoptiec.exe

Filesize
276KB

MD5
6f67d9c0b59fd6d0b405952caafc9bb9

SHA1
54b45dc282309609cf7bbbb505b045a8064ecdcf

SHA256
f4d5b3e24b01c4e8668e9d18434168f3e764fc98570ea301a08dfbec95259502

SHA512
f9a366ba7e06dfeadd7bbeaeafb8719c232592d6de83c637ecb4b7ed46da02db859af862e2e1c8279fa710a04e07c9d142cd24b6ec359bd0789ce41819c81b97

Download Submit
C:\FilesY2\xoptiec.exe

Filesize
3.1MB

MD5
ae9c20cf8c35d1dd8b09c964667ab080

SHA1
4881a8013d76d4761d171dc669f3978174aa8f91

SHA256
92304b9d232bada7a8d9b720dfc4c86f75e777d104fdc23c4cc428fcdfbc9b04

SHA512
c6e56e5887d9b7a5a4d23dcb7f66825fea7822f9016972b6217e0aa0389288244014c2e5d2f4d5dad785315dfd6a45786bd69c9f7e9aa831916263c3243de9e2

Download Submit
C:\GalaxCF\dobaec.exe

Filesize
815KB

MD5
f912fbd8026a14c081cc1954d6c74617

SHA1
79b93f95c33526d91deeca30fcccd625f3575494

SHA256
4070e3f33cc2c4bbf15cd999432d7c5eb4f6a7b206b44308fc561102895bf57e

SHA512
4b0d3153e5da4420fb4553a5f701d5d0c9af1ad5fd12a9bf6705d17b92a050e7e62fc185a73097fb3fd757ee93e671830aae7321b88e5f3163604e12c60571f1

Download Submit
C:\GalaxCF\dobaec.exe

Filesize
1.6MB

MD5
1a694b8ac51a8121f15dfa10f159a47f

SHA1
c78feee8fb004eb8997877b334881b87cadfc824

SHA256
0eaa7dc6790ef62b2265be581f9124fbed8943e38923e3e4bf759362001ee168

SHA512
49e34376f0fd64a8de57d14bdca1e66825847048ec44fa29b64551073d77b30f010c2b99f61d1203f8df51a6baa62becbd956a8b563b96fe9770a5e206de9370

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
87b803711f1024ea01b02b226f71db79

SHA1
b5ac05dc63bca7bdf54a2bd6736aebcd4bab0693

SHA256
60b5176259922f67ca92b94ba3f37f22fdb3cbe244439dd5415a1d5363143737

SHA512
0f3a29cb36c9dc71da119d46ea2d177a51b5060cc072b9752f5e99ce70809c5192cf50b920194be28f28ababb4630c8aa6243692f081ae6fc6497b2bcf1567d0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
f5bbef4280097faad118c4a4f398222b

SHA1
e5a7b64b02a7a1f5c8fedf24c6f66bf7d764ae91

SHA256
9fa58b51776bd9910dd5e2aa48de69c87f5e92bb0c0167718c11c8e13ce2e307

SHA512
4c13073a0552887dcb1a065eea5d4727a51a995d3b918a49180565ed7768508e6c22ad1b12e4d88eb9f65e558f5eb5b412eb19e66f6671950324b8adea54f915

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.1MB

MD5
b70b6e9ef87fc7538850998be35fd889

SHA1
363f25f332d86bbeeadaf2d5ed9272456d379211

SHA256
0c9eb039719c62cf9c7ed65647e912c44c5d5e71580f3cab95c7a3e1826a920e

SHA512
fd5481af5b37bde76fb2501eabc70a69941b7b854e44671f0db51b6afedd6c627c50e5eb1c7873753ebcbf93c14f50aeca15a0f0f67d59ebb2564a3d189c0dc3

Download Submit