3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
Size

2.6MB
MD5

03804f7f2533c60214c4201753867ed2
SHA1

b76d1ec4d7463c26afd6647b60b1e602b4b1117a
SHA256

3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4
SHA512

be52caa309218e2c835b4fe782aca42666df46de1e09fd9f2bf90a39c4fa70767084c4daab3958a5415abe6ee7fb4dbb68925b6a640d56e8c9df100b7d891e79
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpWb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	locabod.exe
1436	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7E\\xoptisys.exe"	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEH\\dobdevec.exe"	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe
1992	locabod.exe
1436	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1992	1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	31
PID 1980 wrote to memory of 1992	1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	31
PID 1980 wrote to memory of 1992	1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	31
PID 1980 wrote to memory of 1992	1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	31
PID 1980 wrote to memory of 1436	1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	32
PID 1980 wrote to memory of 1436	1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	32
PID 1980 wrote to memory of 1436	1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	32
PID 1980 wrote to memory of 1436	1980	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	32

C:\Users\Admin\AppData\Local\Temp\3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
"C:\Users\Admin\AppData\Local\Temp\3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\UserDot7E\xoptisys.exe
  C:\UserDot7E\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot7E\xoptisys.exe

Filesize
2.6MB

MD5
3bf0ea8743e0801be5a7ef1de0a73ff3

SHA1
e0c8b807c4f9eabc23787cc696e50788ad60f922

SHA256
837c7a2a1c38fbbb4f3c8fb8eaceba4d136d86e91eeca214597103158e4b0bd6

SHA512
cb9f82109f282caeaa6a328f3397b28c1d053d0cfe2d2e2aa49189750e7d83ebda711da0c5a6f0bd99fd2ffb6afb21caa9030baeecb86ebb0e508aedc13f38e2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
cb2d6921671af40eb066d4a5f088430d

SHA1
a0bd063e3d291995dfb40f084674be60e696f4ce

SHA256
0f06aa998ac0b7924ec5710c249f87c9390fdf5d7ce54115bc3c466f8a36c23c

SHA512
e4676ce1d833e2311b38e4bd8c68872ead8522634fef6048b716346d5af24d818dc3dc09d395d7baaaad11f451d347f26849faf6a1281c20bd5898b6a375da67

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
48e19bd244c156024be3f75051ed195f

SHA1
8220bb16b6e61e1420792bd5f02c963c4ff9b9e2

SHA256
bab1627ec747e85f372179b70ab4ce401814cb9e0fc4b8c3b7347efddac8d379

SHA512
4795edb367fb11db13fe7c4029ecf8fe84f244e724c991449b64790b63c139e7f945787686e1b73909f9db9e8db7d3592e3a976f5c359ca5611768587a421099

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
c68890d9d97a40a9b8b8331e10840da8

SHA1
8ea84d9c4b92eebd89760fa9a90ecca087efbd9a

SHA256
5ee787ccae096894b66452a32a98ce72bdbf36ff5529bdf0286fe287889abd2d

SHA512
2db6764bf441fb73ae83b00ee1b20b2a2cd2b9c1523b2291c7f18df8a6079c596dcae3035ed09f9e922aef6436385403e615f267e2e8c01851482859aaa3dedd

Download Submit
C:\VidEH\dobdevec.exe

Filesize
2.3MB

MD5
959986866097dece1caa073cd1ea9928

SHA1
956a3d005029a0623f9de680dacc26a16889eefa

SHA256
ac97caece027efa748762b5ff51b2ac7430f02f9817d9c156b2186c4baa6357b

SHA512
02adbddc7b65a914a6d2fe0ce55ceb84c9be9ab064f4e745fae13606c272c03fa74e5c0925bcccb555aa4de600adf241e1d6d2510d83d88950cc1e1ff1be0845

Download Submit
C:\VidEH\dobdevec.exe

Filesize
141KB

MD5
04e3f0c6a3297b9a431224b06a410294

SHA1
5d118a7ea1581b611c16b19a074774a947f2fe91

SHA256
d168fd61d2b5745ccd7ba2305d727e78fdab40746ada81133c2745cafe61ab28

SHA512
cdb6b31e378f787327e0d336f6decc8391583570a2a18b6debeaa23a82b7a6c8edcaede41d5513f5f9b22690f62d0fafcd2b6f7c93d847b3cf52748e64472b1c

Download Submit