5a0401c7eea8305d1060e9548134013b56c3f670b05e5f06d9d4f58e6fcb8b81

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43d15359f8ed33652062840542305b10N.exe
Size

2.9MB
MD5

43d15359f8ed33652062840542305b10
SHA1

43e0a0b89a03dbe276bf459b9514cefbbe276bea
SHA256

5a0401c7eea8305d1060e9548134013b56c3f670b05e5f06d9d4f58e6fcb8b81
SHA512

21ae4eb07027328392a80cf9b6b3a8464cf5f9b91fe064860fda7897b4c25222490155c87231db2024fd8240d524e02252271af925c5f4eecf71db26ccc8ab5b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8:sxX7QnxrloE5dpUpybVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	43d15359f8ed33652062840542305b10N.exe

Executes dropped EXE 2 IoCs

pid	Process
2820	locxopti.exe
2840	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	43d15359f8ed33652062840542305b10N.exe
2136	43d15359f8ed33652062840542305b10N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0S\\xoptiec.exe"	43d15359f8ed33652062840542305b10N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP4\\dobaec.exe"	43d15359f8ed33652062840542305b10N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43d15359f8ed33652062840542305b10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	43d15359f8ed33652062840542305b10N.exe
2136	43d15359f8ed33652062840542305b10N.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe
2820	locxopti.exe
2840	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2820	2136	43d15359f8ed33652062840542305b10N.exe	30
PID 2136 wrote to memory of 2820	2136	43d15359f8ed33652062840542305b10N.exe	30
PID 2136 wrote to memory of 2820	2136	43d15359f8ed33652062840542305b10N.exe	30
PID 2136 wrote to memory of 2820	2136	43d15359f8ed33652062840542305b10N.exe	30
PID 2136 wrote to memory of 2840	2136	43d15359f8ed33652062840542305b10N.exe	31
PID 2136 wrote to memory of 2840	2136	43d15359f8ed33652062840542305b10N.exe	31
PID 2136 wrote to memory of 2840	2136	43d15359f8ed33652062840542305b10N.exe	31
PID 2136 wrote to memory of 2840	2136	43d15359f8ed33652062840542305b10N.exe	31

C:\Users\Admin\AppData\Local\Temp\43d15359f8ed33652062840542305b10N.exe
"C:\Users\Admin\AppData\Local\Temp\43d15359f8ed33652062840542305b10N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Files0S\xoptiec.exe
  C:\Files0S\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files0S\xoptiec.exe

Filesize
2.9MB

MD5
519a555aa30ad2afa3baeb3204ef25fb

SHA1
74bf9cf7b494ef7b809cfe3a07502715e1588ab0

SHA256
c4345a801cb818c69a27ba9a8770ce6b00ac4ee13fa325587b5d307026eefc88

SHA512
f9a81d60d508504b0a9361d8b5227aec12f8cb16d05d539c9af6ae2b18c6d254d7b5e898082a8790c0c12d4635adc778be1fe279ffeab10a5640fbbcf91c4161

Download Submit
C:\MintP4\dobaec.exe

Filesize
2.9MB

MD5
aa95c89e96fa199dc3abb22537fa4946

SHA1
8d8742a112a426300be071fe39d8492131376bbd

SHA256
0720ce2c2d4394f015ccaf7b09c26c6e804dceeee5307f24401b81d2cd7b26b7

SHA512
0115830393adc82f31426a2124f45da79112d52408bd58c6ecc5f69192099d118d10c591610596a5807d4a1a70d7c212eb7e8745a0fd4345b6cafe298fe0810c

Download Submit
C:\MintP4\dobaec.exe

Filesize
2.9MB

MD5
2e8bbf6498f228fd77758d9690e4150e

SHA1
d066c85c675726ea0997148c4236343879bd2064

SHA256
754d7292aa66bdbfcd1dec2c7c2d6f6c120edbb6701473bec0b8461d1274b681

SHA512
db15f22300619b527c6718ed134c106a207b2987a292d9b5b4182c884a681f8a6efd923a7c8858fc4df64b457cd2b25090c4c01513cb40c8195a36eddc506cc4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
7eb193a6485b56a285d4242ffe2159d7

SHA1
60683c777abfa6c688ddc5c48f7ca6040f4be980

SHA256
24f9d9074f080b53992f176dc3edd87833c2696b1eed1fcbc33ebb83fb2a5d23

SHA512
044f5c8023da3757953852451270d55e4212998cfac4473908b97ebe6140eb26e3194fbc437da4b3b142530f701047379290f3456eca34ae424be65bcd3b83b0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
8e02ed9b849ad91fa2434e7dbd8d3cff

SHA1
6531f907ff379cfe8402ca3d1deff93b2b1a05f7

SHA256
85397d060d25996f4631f0b2ed6738393ce7bdee6b56a26f47bab35004b93a5c

SHA512
8b71397641ece6d17076fddcc882d733fa0495fc82373f965f7eed29a65c8b84fb78c640a272a23c306503bc44f8da691f424874462c463cd59eb1a5629bc739

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.9MB

MD5
145eea18f62c95bee529f5802e60cac0

SHA1
93ba225d41b21f1e604be9e63c06b546f16a4226

SHA256
ce3ea6af2e687556682783103375ab21ec4ae82b5454e272d779ad17ad507205

SHA512
1ac309e6fc5d07643fcaf9d0c272f256920a07b18293421d25404d2013e11f4aba1952961ef7339f21404d49ebeb76f13cdaabacd29809668cb4061d40acceb2

Download Submit