576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 08:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe
Size

3.6MB
MD5

cd173ad10b6b575403b5acae46977010
SHA1

dee8db2318a286876f358ba75fe5c2d72f15a726
SHA256

576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3
SHA512

00e333b773d8957aa8578df0b15a3ea1342f3223571f47ede53d019e63978678e5381112facf434e2c8929c3ecf0a7d50f439e97b2a8868b56d8b5ceab7d183b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe

Executes dropped EXE 2 IoCs

pid	Process
2876	locaopti.exe
4176	xbodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHK\\optixloc.exe"	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesYS\\xbodec.exe"	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe
2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe
2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe
2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe
2876	locaopti.exe
2876	locaopti.exe
4176	xbodec.exe
4176	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2876	2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe	82
PID 2640 wrote to memory of 2876	2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe	82
PID 2640 wrote to memory of 2876	2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe	82
PID 2640 wrote to memory of 4176	2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe	83
PID 2640 wrote to memory of 4176	2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe	83
PID 2640 wrote to memory of 4176	2640	576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe	83

C:\Users\Admin\AppData\Local\Temp\576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe
"C:\Users\Admin\AppData\Local\Temp\576e05f65a0738fbff4613936e9cbd1c3839e8ceb8c0a40f9909a01b7e6ba7c3N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\FilesYS\xbodec.exe
  C:\FilesYS\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesYS\xbodec.exe

Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit
C:\FilesYS\xbodec.exe

Filesize
3.6MB

MD5
943f7d76e4d7f1d65680a62afb3ad30f

SHA1
ebb7cc25c650d62a0643833bef7843ea88729475

SHA256
39213ea553def660828d99183509d204db7380bb24a76f0d4bdb8eb43872e3f0

SHA512
46db3258069cf987b88dd86483ab2a80d2dafa776c3a8b732ebefbbeb8d5675c39d9854a0832c717108c1a25e7f821f1f5be1af01cfbe4a0f39063b187c37fe6

Download Submit
C:\GalaxHK\optixloc.exe

Filesize
3.6MB

MD5
0b6b295a14beec69f143c3e931b38a30

SHA1
71fef45db518ca646b747227363fbfbd9466eddf

SHA256
f7e44bd51787d37f01ae320f584b2ab26ef19ba6ac6e200e4804791b63bae755

SHA512
0ba22dd3f7de6798036d7307c5a5a9945c57c7812883a9ca5a7a98af75fb8be53797b0bc29019987b16ef3a5faa6ae07a283f2dd71a690abbe55fae3765b0c10

Download Submit
C:\GalaxHK\optixloc.exe

Filesize
3.6MB

MD5
ed1371f6e8a9c34dba7ac801f3234197

SHA1
5ca7ef5f92bf5ccb8de19737d1dd1012b6a60c95

SHA256
45634492d210ebe7dfa3d4d914cdf7f67c0a79ed3e0c11dfd80e5322b8f606c5

SHA512
edf6a1675de13b9a80aca4d1043b6a14d91b1c7a9464e052e2a8bfe1160fe2775927aabcf901b5b3dbc78b217590908dddebe76be9a993f8f0b152ca2ee416c0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
605a2f713888d24b8d6a00fa7bb94038

SHA1
8cf6f54883e4f317e065af70edaf33234497946c

SHA256
6b03c5fde2df3011d39b5bad1a68c4708b2805363d40d122cc321b32500ea6e6

SHA512
df531007da0cd73c20503817134d51d46813bda44df22bf0ac56a6c46b98ba6a05f5f4f5ecb728da9d84b0f4ce7e6d2c8557f0bba2ee924058101b6a26f40bf8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
f755f8b19041acef05fa9307e46ddc6c

SHA1
5ec8d9eba1a4b17976e4b79bbd457d95af3b0a47

SHA256
3390b5a7168423b45f3bf475709f292a286e19299d5563a82c82930c186a0b4f

SHA512
204e24e86aa49179b6251f9a47ea46a5c9a3a9082fb51b85e9190e481314ca49b0a6d925eeefa02aefea901ed33cf1dcc1e2c189ff6338772dffcd94c68a97b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.6MB

MD5
633bf44e592b922a0184ee4236940915

SHA1
920e58e894f7b11cd93176652334de3a80d603ad

SHA256
3f46333660596b7215527b791d2c875ad13435a147320e0b52dfcd9784e2ed8f

SHA512
280a61ed29a89b00b29259477c2664c12fc5db588780ec04cb56bf0623aa456be9e808544c6034a8491ddb89fc27af2205dc8bf1e0c5b8d6e5277f842da1f3ea

Download Submit