0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0d

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe
Size

2.6MB
MD5

862cb8e2382e60c026ddcc067449be40
SHA1

9983c11623b540412b7457323ec7aabd3e3aa803
SHA256

0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0d
SHA512

185de46ef7d0fb87cf9504beb767f09a1f0d61122226a23d08b2428e6b1066bf8b123eacaec0f5127e48ec07b85b10a9900812d330165d133a78c204e724cc49
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe

Executes dropped EXE 2 IoCs

pid	Process
4488	sysxdob.exe
3584	xoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEO\\dobaloc.exe"	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv61\\xoptiloc.exe"	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe
3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe
3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe
3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe
4488	sysxdob.exe
4488	sysxdob.exe
3584	xoptiloc.exe
3584	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 4488	3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe	86
PID 3868 wrote to memory of 4488	3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe	86
PID 3868 wrote to memory of 4488	3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe	86
PID 3868 wrote to memory of 3584	3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe	87
PID 3868 wrote to memory of 3584	3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe	87
PID 3868 wrote to memory of 3584	3868	0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe	87

C:\Users\Admin\AppData\Local\Temp\0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe
"C:\Users\Admin\AppData\Local\Temp\0602411cf02e23aca4ea7054ac2396d48d26007de2fe9d81617b9d8ee8669b0dN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\SysDrv61\xoptiloc.exe
  C:\SysDrv61\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintEO\dobaloc.exe

Filesize
302KB

MD5
2dff986cc61223660683aa80d1fb2fd3

SHA1
ac5237d7ccd9da2176c983c09fd0de51c3c51ce0

SHA256
d6dbc819fca8f6ef5308e2d398543b8c6b788fc1f430a45a795a12cc15eda624

SHA512
5684dd0f5f49925fdeaf0d0b5afc2cd2e27ca45f55b438595f3dc82b458e0f6c3e9258400a4bec6d6cd2d18d84c03167b150ca1ca46a35027b56b31f5267bf95

Download Submit
C:\MintEO\dobaloc.exe

Filesize
2.6MB

MD5
2f9f0a0f56e387dd2c6c398569e77a24

SHA1
3e383c6152ffe1146764be7252209780055e72c6

SHA256
61ebe7cbbce0f1de6522cf99e1463619e7788e3b389662576fec9e84ceb138f9

SHA512
93dfe61c5896a05a2164a3c9eef6e92e54201c89f2332d9703cb3cd0d8df2fb8f2646481e9a4ee584a51e18badb09f62724637268f2f92b410bcd662b7c93dca

Download Submit
C:\SysDrv61\xoptiloc.exe

Filesize
2.6MB

MD5
17fbc7da3d2c6e792fb7da27e2830ec8

SHA1
a6b098cdf4a8f69c4db70cceb5975e4577adaa79

SHA256
09c0e313444fc1749b136d5c1943c0d4c7095e7c159cd39728c02a300bb94aaf

SHA512
750f2266938eec103bafefdcfb573bd5f66ca85749f5c2ed3d0ba6e3234c385eb7c00b16f9989cc905938d1506a3dc0e57da542f5b934ae7f3ea7ca5f853b401

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
b8227df583a11a8df8106d1f8380981d

SHA1
43c17a206fc7b639525fa881b5fe15664f061827

SHA256
9a2ac72e52f0592f2f2d0fe09cfcb2de03648fd0cef473726c35a47aea070b04

SHA512
ce1058ad8c063cc336f222f2fdda9dc08c4f801e7e0986a2b026134d8527af7833727342a892355ec780a2342143530a34d874b8b20c92cb003aac3c35ff003e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
2a35260a06f8b1a0e59c8c3057ec6f05

SHA1
aa2524d8080a163f9d0a9f9674fd4b1e9f6ce9ea

SHA256
e091c668c3a14ecc0a13631b58132d68600e33c90149c05e27f04647917a8d77

SHA512
e7365954948b6c709a7a9c6102029ad7a1a27972c1995a3664c1aa51faf1c6416f85d3c412911385f8e18d854f83b7ce44f6d52d98cfa75f5363988d9d5b78a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
fd141f84d437095e776caecca4819d95

SHA1
e07820b32591f06f02ae93be3b5de4771d3a9e9d

SHA256
e00ba897a0d79066a86701edeaa73d07ad04c36dda7a4d4b38dc90c16fb641c6

SHA512
e610081135f8e9a0a67260aa9ec0723f4cab1a5b95f485f57dc4b47997f61063cd734189554df9bc8c25e41d8683bd5029c139c187a00f528e98e25a8ac583d7

Download Submit