0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961c

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
Size

2.6MB
MD5

6d4eeedbed7e5e4075a296f34f997f70
SHA1

94f12e4e3ae25dab70aa07bd56cedd21f6e45924
SHA256

0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961c
SHA512

c1e1bb0dc8efdca473199f9d394249d747f85de1942b26fff8642b41833f8f9ec31c8b8572f4f0a12c08dd775560f791a91aa623cb051446eca3963b5bfe8fcd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpYb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe

Executes dropped EXE 2 IoCs

pid	Process
4680	locxdob.exe
2740	xoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUC\\xoptiloc.exe"	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJA\\dobaec.exe"	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe
4680	locxdob.exe
4680	locxdob.exe
2740	xoptiloc.exe
2740	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 4680	2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	89
PID 2376 wrote to memory of 4680	2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	89
PID 2376 wrote to memory of 4680	2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	89
PID 2376 wrote to memory of 2740	2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	91
PID 2376 wrote to memory of 2740	2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	91
PID 2376 wrote to memory of 2740	2376	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	91

C:\Users\Admin\AppData\Local\Temp\0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
"C:\Users\Admin\AppData\Local\Temp\0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\UserDotUC\xoptiloc.exe
  C:\UserDotUC\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxJA\dobaec.exe

Filesize
2.6MB

MD5
291f16bb81f25fb4b93195e6655e5d2d

SHA1
97504a63e3a899afb2bbaba39f6443b6bf193642

SHA256
afa4701c93cc5afa67c6b93d94e0f82705b3edffac7cac53e882ecb580cb3a6a

SHA512
8d68f44349d7d1638bc5a5fafc255a676abc9331e2dcb2f0ee969049b6af32e944b632e4a21d30832fc8178247cb1710f811a091961dcf876be6f81a9b3fea54

Download Submit
C:\UserDotUC\xoptiloc.exe

Filesize
2.6MB

MD5
7103ce26693c06182a30f9b90ae23194

SHA1
56094c8381639230a4f7a72683f7bf1bfb994148

SHA256
db38ac9734642b15170faf1b0a0c2beab2c979f00747b01bf7de9e8bd60a3839

SHA512
001e7473bebde0d1cf8ca89720ed7c0a9d59e2773372c36ccc020ff0ba3f26d5d7b5f961575013fdf605a6eecb88a485434f95d9eacffb755512db5529ef315f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
246c0f47127e0fe5587c2d55fd791f56

SHA1
10f92ea5841fb4aab25b57564873f4886eb5d251

SHA256
94f71e890abd1484e92616962f840a1d062c9ea6ba381d27d59688299e76fef7

SHA512
1f62b960d2aeefbad3b8ca70c679fe97d6beb377615bc912516a64b9b2539b009c4267d8d180dfcd4566e4cc78fa13cd833ca8e14f709bb88997df921094a918

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
931616c960f00d4a08e2445f3d8a0478

SHA1
47ef1b8008ca107917cdf5f703fac5b6dbbc47b7

SHA256
663aab4017cc2a9cab8770a8bbc0b283c889029e014591e25bd50ac24c289806

SHA512
6f7e49083b66f455d729950d8219dd9a8b7d238b4434da8d596077f062e84762532c946c904dd697c39d465e55f732ec765f731cb90da3f461230e929a73302a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
dec59682eb97a8d7ce0afc699b72422e

SHA1
0a36186a5ca274a11c6410694828c9d0e0ae51e6

SHA256
e781329ef8a173cfe2348a54bc8ba446dce02c9ada7ff2b7d2ec8af4e7583a4b

SHA512
877e2c4155d76b7bc6aad4de9d38c829cca1f253b84bbfc67bb2584b7e6817a23dfdd50ded3526a889d3f61fd57107cb0eb28515126c590984b2659bbe06fe03

Download Submit