70ffdce5ed303ede96564a5ab3c1d2038ff79e3242efe1ad145c26ed1ef3b096

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 02:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4857ad29af6143966e55f3b8d6f3f80N.exe
Size

3.0MB
MD5

f4857ad29af6143966e55f3b8d6f3f80
SHA1

35fad28877f91a081ceb25885c1ed7165eb832ef
SHA256

70ffdce5ed303ede96564a5ab3c1d2038ff79e3242efe1ad145c26ed1ef3b096
SHA512

7139b3eea6c79ba9cb1ef4e80421ddb1739b7b18411cb6dffe9bdac36cb500c0fe26b74668a86e6a23739c99feeb0affd6e7d73ed7aaa9e0a6bbd4505f554f5c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8:sxX7QnxrloE5dpUpcbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	f4857ad29af6143966e55f3b8d6f3f80N.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	locxopti.exe
4488	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDQ\\xoptiloc.exe"	f4857ad29af6143966e55f3b8d6f3f80N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint42\\optidevloc.exe"	f4857ad29af6143966e55f3b8d6f3f80N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4857ad29af6143966e55f3b8d6f3f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
552	f4857ad29af6143966e55f3b8d6f3f80N.exe
552	f4857ad29af6143966e55f3b8d6f3f80N.exe
552	f4857ad29af6143966e55f3b8d6f3f80N.exe
552	f4857ad29af6143966e55f3b8d6f3f80N.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe
2640	locxopti.exe
2640	locxopti.exe
4488	xoptiloc.exe
4488	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2640	552	f4857ad29af6143966e55f3b8d6f3f80N.exe	90
PID 552 wrote to memory of 2640	552	f4857ad29af6143966e55f3b8d6f3f80N.exe	90
PID 552 wrote to memory of 2640	552	f4857ad29af6143966e55f3b8d6f3f80N.exe	90
PID 552 wrote to memory of 4488	552	f4857ad29af6143966e55f3b8d6f3f80N.exe	91
PID 552 wrote to memory of 4488	552	f4857ad29af6143966e55f3b8d6f3f80N.exe	91
PID 552 wrote to memory of 4488	552	f4857ad29af6143966e55f3b8d6f3f80N.exe	91

C:\Users\Admin\AppData\Local\Temp\f4857ad29af6143966e55f3b8d6f3f80N.exe
"C:\Users\Admin\AppData\Local\Temp\f4857ad29af6143966e55f3b8d6f3f80N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\IntelprocDQ\xoptiloc.exe
  C:\IntelprocDQ\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocDQ\xoptiloc.exe

Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit
C:\IntelprocDQ\xoptiloc.exe

Filesize
3.0MB

MD5
fb96e0e470d2ffe05948ad0339157d88

SHA1
c2cf94993ed1a9eb813ba39fd214f05be3cf57d7

SHA256
3b72cdbbe31bc07f3e43c16e75e1e18a4eb9dd97bbf86242fb35461bed6d26a4

SHA512
9680d5e5516b3f95ffc9d5bd36d6bf6560bb261632402a114389ad7261f8158c9ea415a2602a9500b206723eb3650e3cb1e827a12682a1f4a7c311f09a95cbe4

Download Submit
C:\Mint42\optidevloc.exe

Filesize
14KB

MD5
3d45b0eaee6cd60ad4f5568ac16ef258

SHA1
d7e11caa9a67cadd55724afe2d1d84adab824cea

SHA256
ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243

SHA512
2d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b

Download Submit
C:\Mint42\optidevloc.exe

Filesize
3.0MB

MD5
3f2c11fdb68c79e5a63dea678bf68ef2

SHA1
c14d5023e1e6c72e4ff3dafabc49e43a5f26917b

SHA256
a430a3e397cb8211fe95292086e0181e72ac0d1952f6a4f644ffd4b5e0a5ae33

SHA512
118dea79a84749775ec2de231ce251af53eaa122c596a9bae8a6bcb15ca1c3d92bbd23375c320de2297a582b6ada89740a50270f165041852ad28d2a194ffdf9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
0cbe293b99255388f263fca229c77305

SHA1
a901e8d5da73f5f5716bdd9e8d8ff14d2b0f984b

SHA256
a4648a0801b1aeef59616864988c94d7f2e75265da5bd77ed81b32f9ea6da4c3

SHA512
1acb4915254982a85fe02e34839aa28c6475397e5ac70a11a8937f9e218e0aa61f0ac599388a88f9d9b0c945ed82ea55c24db21d242ddfe28c695c3348e5b2b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
f7b98c0c1db9c531d5310622f6873321

SHA1
645260ffb2f7a49d731b2a9a700ee4aa3040df79

SHA256
81709ea9c6d318cc07432896cdc25a31212fce6b97e0f95a671aa8b1fdb4f19c

SHA512
6f286c156b2523e7f1a933596e18427e688a41a17db8d2400bfbb7684c1fa27949fa2060cb2717740af189783c18562eff718848aad5e163da55629f373e6155

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.0MB

MD5
13f5739b55144a02f0ed8d157b0da4de

SHA1
a9a8eda3ef36d97545404e0b61038ecf8d2f5a6d

SHA256
0604204b0a67866549c1d386f41dbde66e226c49d8139229ae9e4eee970de0eb

SHA512
f748086bf7a44984d7a9d40c6a23ef36ca8cf742a51cdb4ceeaa8b30e2a94c2a46c53bef259de8393401706ce8f7ff278e4b14eaf6f498fee6a76f99be0e5e1b

Download Submit