ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
Size

2.6MB
MD5

a8997dc1a098d34b1a5275cdca2fcfe0
SHA1

777296c1801c7cc4ba11064833bd2750db28840e
SHA256

ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050
SHA512

92a5481c6137b6ae553abae078a757fca9ca8178507d4c197814cd6e1cda0b8a48343bd66919656376892ad2ca4d950577a69f77fcb9d0c08ccfb33d66ed34d2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpNb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe

Executes dropped EXE 2 IoCs

pid	Process
2864	locxbod.exe
2740	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid66\\dobxec.exe"	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMH\\xoptiloc.exe"	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe
2864	locxbod.exe
2740	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2864	2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	30
PID 2784 wrote to memory of 2864	2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	30
PID 2784 wrote to memory of 2864	2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	30
PID 2784 wrote to memory of 2864	2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	30
PID 2784 wrote to memory of 2740	2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	31
PID 2784 wrote to memory of 2740	2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	31
PID 2784 wrote to memory of 2740	2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	31
PID 2784 wrote to memory of 2740	2784	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	31

C:\Users\Admin\AppData\Local\Temp\ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
"C:\Users\Admin\AppData\Local\Temp\ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\UserDotMH\xoptiloc.exe
  C:\UserDotMH\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotMH\xoptiloc.exe

Filesize
2.6MB

MD5
2555641492c60ba544a911bbda4ff106

SHA1
b19ababbc89495336fd9fcfd5ce9b8d1c2338509

SHA256
02f25d817067a446e1296cbc7ebb98b33a9321f75ffd24c6d8917bfff6b01da5

SHA512
c1f4b45d2937ca665a419ec0923ac2db4cc449733072ab4be130066ef5d3d5527097e11ffa004c0e6c1992cebef571857fe220fbf95ecda8997995cd04ceb74f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
55d93c87e2800c568aea3f7ce661c7f1

SHA1
4cabb9199f583706695d73606ceb682bb04714f6

SHA256
c09de8613f9d68a1ccf81aca03387e5daba3d616abbd0d8c521a09a3144275a8

SHA512
c1b852b419af6cdf54709fc806b89627bb188b84d0bb8dd14993bd3576bb691ec8f99cd46decb163645d4dce9485fc1d1d4d920fb5ce04aa3e4d81c21e2dc493

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
0b6725a13501d97463499de279c7aae5

SHA1
bf01f2a43541096dafd52f5cdad648912eb61d84

SHA256
d56db40a80b482af4ca089ecaa5d44b057b2504eae8a016705d08f21a9681c94

SHA512
b2a2d95e07d76cec9505ec3c2812e3246a9b579fffa52cac29f9dc17ecbd3ce9e2cc1e2501def7021f948a182e26858664e1f9d21e6753f99fb808c7ec598db7

Download Submit
C:\Vid66\dobxec.exe

Filesize
17KB

MD5
f218ec25fbf44d8ada55b81c57e9368c

SHA1
3254b68c8ff9dd72772ec3c826687fc2f2e58051

SHA256
467e21f563b16934238c7063303543443c22689335e46bb9c062de8adfa02303

SHA512
a4d4e08e5dd2456e7d6dbe472cdfcec7bd18be974c39e1035955ed3d4dd06043ef6abf9551cd150c97e10652878ffcf1e8241e72ad729ce1a9c525863a8a35c9

Download Submit
C:\Vid66\dobxec.exe

Filesize
2.6MB

MD5
f7108ed0a18a7b067809d5e08ed0416a

SHA1
38634ab35b01604f238bfb2686e8f58d0eef2129

SHA256
1df5a2bbebbfa289a445d0d34d6bf0ce5f023e150bea4f8ad3d470a6cefaa3c4

SHA512
3e415e1fad9c093dfdc3e79e210b5f8cda7a6dd86584595281063785ce15a944aa6d38129cacd3a648c63b09106068249de6d2647194f369a54e45746d8025f4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
9f3c6d452facbb6c7427f617b4febb58

SHA1
b68f1fe0ab51f14f5e9b5a84505df5b7323b6a1a

SHA256
dd0f08927336435d66a3ee9a074e2d8781bd48f264fafd5b4f7096dd968394c9

SHA512
d6c6c82df2d5869389bddc96b65518ee006149481fed41c43e7ae0ec6bb201d6f53c5002c89c3c3365ce1a66730f2f9d163dbd4b1e906e36f8d34cab4999b264

Download Submit