153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
Size

2.6MB
MD5

1abccf097d1132466158a7e067f5c2cc
SHA1

e98410ebc3c8f26b008488810ed4c53b7271da18
SHA256

153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95
SHA512

9eeec6af6720a71be5b20ea0b0b7d72fd94a956d814ea8b5df8a2318c42aec67bf30bcdce400d605ccdfda41abf3c8344b865f55e8b2c1b15039dba45530181d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpUb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe

Executes dropped EXE 2 IoCs

pid	Process
460	locabod.exe
3636	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDZ\\bodasys.exe"	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPU\\xoptisys.exe"	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe
460	locabod.exe
460	locabod.exe
3636	xoptisys.exe
3636	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 460	2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	85
PID 2612 wrote to memory of 460	2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	85
PID 2612 wrote to memory of 460	2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	85
PID 2612 wrote to memory of 3636	2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	87
PID 2612 wrote to memory of 3636	2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	87
PID 2612 wrote to memory of 3636	2612	153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe	87

C:\Users\Admin\AppData\Local\Temp\153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe
"C:\Users\Admin\AppData\Local\Temp\153b4c2051926f0004a832501d0143b2eb866360e114330d45e20e5fbb8adf95.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\IntelprocPU\xoptisys.exe
  C:\IntelprocPU\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocPU\xoptisys.exe

Filesize
2.6MB

MD5
b5d1ddf1e96f8cf17caaa2c9da4ff8ae

SHA1
96cb14753b09379722dd7c32886827e14af4dcea

SHA256
6beeee3996c418da213dc0257125144f382556329eabebcff09fd0af2d981cfe

SHA512
343b4d50720363b6134aa13ba535c37b323d65faae5ed1b1db36f38b5729bfef3a2b0fca218f0ff1129200730f0fe8c8e0867f5d9b082e8830a833b523c4bab8

Download Submit
C:\LabZDZ\bodasys.exe

Filesize
2.6MB

MD5
533d6ef1f5652d5e8c7523b85870ebae

SHA1
81d8e707c5eff641e83606f87db7d6482d6f9771

SHA256
8e8806cf4895dee74b5d37b3fa0409d538f5ccb6d988ba5640595bb620058241

SHA512
6c1ed1d5af0c54cc7753be52aae397794fda24cdb90dab998978952388d3587588ac4dc731e7535cc787fd6daa92b89a70535e9f60798bd99b41d36cef2afafe

Download Submit
C:\LabZDZ\bodasys.exe

Filesize
2.6MB

MD5
e78337b2400a09efdd5bebddddbbb5bc

SHA1
9d9ed85eec61d2f680ee28c54f85a8f80e4ff7bf

SHA256
56e857c140bf65144c6cc0fd2e43bd2762780a2a670c0ae4ba20461f7f86c8e2

SHA512
1fbffbf1e3e86e4850981d1b7047e8c5363814628f8bc1a6211c328db458f9ffe1ee7699aaa7291f7ef616597d04f6ef7dea7f598b0524ca5144498ebecaefb3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
745ef9596f66045e8b05d1ae7b6bb5fd

SHA1
9f19e50ae63ea8b95884ee228afdc714e4ad470d

SHA256
28cddf943834693d4f32120c23b716f5ee137a9d3b1b26f48a93c2eaa5e9b706

SHA512
20510f6d18987dbbda419d544c85dcb16c6298dba6e0f3a1bde8f3da235ca49afdea925e959eed4ee7a04e578c6ec7f520e343108fbd1fa3bda8006107c751f3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
6ce3f04685ffc6e3e9aea27a1df52252

SHA1
51af063eaa88f320093e4487de82e57ffd938865

SHA256
97939b9620fd5af703e4f1e8acc37b28efefd15832ea42267555475496ed604a

SHA512
95e7d023daff8ea046f4113e286aff3ebd39dde7755baed55b35c914c2f3e7e377cfd8cc91c2ef04aeb6f16f81f0276ce55a60e999b7b9f7ac082b668e61dfc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
443f9d7e7246db2a4920e96f4e4dace5

SHA1
c704c5167d85357555c234f9accb801f96bf1035

SHA256
f52295b0a61a10365998514c4c5c85a7b367390be124320830b71bcdb4f97990

SHA512
aa5943b52b4fe3af9d87ee5498c3af68f48bd9c7cee2caa3904beaea3a00f644a38695d0d4513695b8075d750cdfe26b95ca30d67e2849185c209fe3dbc49f44

Download Submit