939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
Size

2.6MB
MD5

6bb121390b50fdb90586cac15271ae90
SHA1

fe9c4b5178f8342590fbff83dc3d79c157f73cac
SHA256

939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2
SHA512

26ce65865a1cd704f93357cfabd6593f2b5299b7a822f04967f945e783414469f863795264c362afc06112422d84012db63630704f01fd5375097da1dad38173
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpvb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe

Executes dropped EXE 2 IoCs

pid	Process
1756	locadob.exe
2940	xoptisys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotL3\\xoptisys.exe"	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHY\\bodaloc.exe"	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe
1756	locadob.exe
1756	locadob.exe
2940	xoptisys.exe
2940	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1756	4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	86
PID 4060 wrote to memory of 1756	4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	86
PID 4060 wrote to memory of 1756	4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	86
PID 4060 wrote to memory of 2940	4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	87
PID 4060 wrote to memory of 2940	4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	87
PID 4060 wrote to memory of 2940	4060	939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe	87

C:\Users\Admin\AppData\Local\Temp\939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe
"C:\Users\Admin\AppData\Local\Temp\939d190649cca94b2c360eb903b0ccca2cf9692b5288cacac9cfe8e2ca517fb2N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1756
- C:\UserDotL3\xoptisys.exe
  C:\UserDotL3\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotL3\xoptisys.exe

Filesize
1.3MB

MD5
f23f783b84613e71ade11546a7133d4d

SHA1
feca22373228b0cc41bd590a1b1f84e80108d765

SHA256
06b8bfd54195e8e505e46c186f48ba17457d28f3e57f612f54f419c2889eba08

SHA512
be28721bbd2fc778ec6ca2e6cc15ef973f65e167c6149b158bcdcb7e12bacbf69231251fae7d47c7bd13d20e8141616c3864b08593f79f029f1b8fc5cbab39f6

Download Submit
C:\UserDotL3\xoptisys.exe

Filesize
2.6MB

MD5
f304bc410d6661724de5a7f52cb74963

SHA1
0a80096df4a560cdb997be13e8feea0755b118f6

SHA256
6632b3d55b9e4659c058db64c969390f5225422a1f9f73c20b49c9203a2a8c18

SHA512
5f444efb9b858a8f65bcf0ff33b13217a27c861d8c0aaf0ddcc74459be9f26dbe7bcbacbf4f214506cca862c9ed8635740d8ed89b1cfa8931c765d3793487aa2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
83a03821b1431c679a0d1fb12e7cb832

SHA1
b3226fc224cd3de7274b7539bd87adab3f5d8e76

SHA256
bd86b3e1eccaf4e8fb6aece2e62074047d9eef3cc5797d599010306ab166c9da

SHA512
f184f2837723118fae860db654c2d513582d76ca06119123b28774cf03dcb3141dd8f4dd79fea3c86b944015c85c84fab41968d85182ebcb8382fa779fe4ca18

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
b1b6d37877b97fabd382d4793edf0ee2

SHA1
bfc4d89f43864bf4b898106e57979971abd00f05

SHA256
a06d52963bb534940aec8c4751eb7021dc143dfc1f2a348b14d58644224601a7

SHA512
70415f17461a5c65488aefc5c0a1e9089c05695309dd1c62b77bc9fe3099680886d9817d78b9bd3346d81655319321bc541d7fe916e4110bd8c820c6de5bad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
b54ae3e8da6510c6ae3f78c14b6e9bb4

SHA1
20fd2aea37df7a260a58da43fe0768002211868b

SHA256
f05b797a412a18f4b16768a0c3fcb870d6c02ce85561afa9f25bcf90d06134e1

SHA512
9cfc52b28c3c2be4a4534e7bfe5d6e2ffc3aaf7d7647b35f8cedecf6bbe917588581feaa66dbffd970e053e5dd44177c0bc57469fcac727ce5f48e19ef56601c

Download Submit
C:\VidHY\bodaloc.exe

Filesize
233KB

MD5
a386fa70a60703f9ae0d622acc3c8907

SHA1
5fffb3a9230bdf11760be8e0c4299d1634a66f07

SHA256
03209a12396042fedc26982b31a0ef7281ab59fb496f727a0aa7ac2319eef92f

SHA512
c7dddaf2923f6271268d6212cd1c5b97b506dfbcead814b793d5b6de27bb55007ad0c84d5f49228e84d7d98a0f37274350496ef12a22458f6fe59659c3aefb0a

Download Submit
C:\VidHY\bodaloc.exe

Filesize
813KB

MD5
f9cb8a8b1a165c7c775f3e533d12cf07

SHA1
fa5f4400ced394afd160a40f6ae547a5c1c70960

SHA256
c583ebcb83a3319121aeb9297a09ed915ecd944c4d8e78b3b124f72fa8eca788

SHA512
031b9fe037852c55edeee6d6300ce290f124318dfe1246423bbdebdec940114ad99e5cf843ef9a43b14c50b451032c9b6df689432de9d2cec897bc7dab6b6b53

Download Submit