7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
Size

2.6MB
MD5

9f7c74b3e33e5300d21f6596a1306610
SHA1

75036ff3be8f0698445c5161f4b824cb68f8c206
SHA256

7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588
SHA512

5bf5b8d3833260c9fc8f6028521ca1eb3923b09dc462398b27071f228a63fb9016ed4a3e3e3c4c0a6ab31664ffd9af16a3cef1a84ad778c227336da4336276a4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpub

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe

Executes dropped EXE 2 IoCs

pid	Process
1728	locabod.exe
2532	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot68\\xoptisys.exe"	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxES\\bodaec.exe"	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe
1728	locabod.exe
2532	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1728	1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	30
PID 1700 wrote to memory of 1728	1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	30
PID 1700 wrote to memory of 1728	1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	30
PID 1700 wrote to memory of 1728	1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	30
PID 1700 wrote to memory of 2532	1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	31
PID 1700 wrote to memory of 2532	1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	31
PID 1700 wrote to memory of 2532	1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	31
PID 1700 wrote to memory of 2532	1700	7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe	31

C:\Users\Admin\AppData\Local\Temp\7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe
"C:\Users\Admin\AppData\Local\Temp\7a7f2db1e0deb2046c62d660a409bf8a7794244933b347af8ae2a2b88e2ab588.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1728
- C:\UserDot68\xoptisys.exe
  C:\UserDot68\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxES\bodaec.exe

Filesize
40KB

MD5
65e46c6a3eeb874ae912f20e75854bf7

SHA1
6a31e2a9bceb02e7997648bdf7f3c777bd2807ad

SHA256
69961451c4bb1f21c8deedaac97a36d39729138d632bdaed261f336f30f6436e

SHA512
498954f5a999e21a7f3f2a05b2359bf7896edf7c63dfa34975c1b06e1b065e59e65341a9d11b8f2ae08ca722d0f834ce29fc2f8a1ade5abe0b90bf2d98667ce1

Download Submit
C:\GalaxES\bodaec.exe

Filesize
24KB

MD5
3ec2a465b54d769a7f3d66e20b3c7f81

SHA1
7b85b7c06cbef1c6ae009f4bb29c7b0fe15f820b

SHA256
e9ad19bbef39ef632da099566665f963ff6fc962bd436ccc46580e705d366ee2

SHA512
a8692013f95ae74ea35930a505d2357385b1d7ae1447a3135b9d24df39ef741e2b6c5951c6a138cf6ea148926caaccf6d3cc429d97b17e512570c7b8590c157d

Download Submit
C:\UserDot68\xoptisys.exe

Filesize
2.6MB

MD5
534078d4ac396809a01c88efd5c6cb6f

SHA1
877ec4c3d22456b9766c62f17b221cecc60b1574

SHA256
22bbad83cfe6621083388c094c7ebb7d3eff31e7c52176648ec5a3a2d86f481e

SHA512
39810c811486509083288400ee6086ba2a577c06a09f0fa286523188e71300c06d169fbe0718eb78bdbb81ef604a520f9ab39833e8d2df7de648974360f0c802

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
61a4e943e276350e545472f356346ec6

SHA1
c2372693a7a18974b818b6a3f478f3573d766e3e

SHA256
039a88244cd4c0b30cd3d701a96c9f7139194e08ca58407158533f06ad4866f8

SHA512
27b0d726ed9b8319b664615064bb1aefda5430cd978572e0d2e6c2c5fef878e795789fd7de0c3a5ba69065d58bf6db4c1e6371e959da5da48d141dc1cd4d7455

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
b68f5cc85a7ff2ea0eeb772160bc1574

SHA1
22fccb8b7b1df7ba732d707fe476561a82b6e263

SHA256
4a07c9e9dfe835c6df1e8c8c7b55a0c0b3a9bfa3f948893743916ae284326763

SHA512
3f0ababfa58fe400dc0e02cf512f189cf8f81a144a23543810a0dde99a3b91cb5af8215d6c6b3e9c0d12c36167a18da1610a0588d4ad3d2252a1ef3757bd3498

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
1c16a4d365540a1854bb013015fe5018

SHA1
7ff4781974494830776f7774acbdad203f99363c

SHA256
42d4e20869da89025aa0560e258a23c665e6c510cbd4182a2a15a2121b69d38d

SHA512
41c5f77a7190270e2d6926853fe727caa5fce3d7d826d19f51352c1eb8f8e692dabe3c206ac8008aab53785297f083dc64fcce83a782fbc942c9c7fd6b222f33

Download Submit