920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
Size

2.6MB
MD5

c677c0396196001bab66b9ff929a81ad
SHA1

52226cbc09cedad1ba7b86f89eb31b24b4b40800
SHA256

920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4
SHA512

8f413459d1de9e079321212c60d2387b197d3ee1f0b4ab720ad533906d749ad877c41f138e91f780ed97728464f5b86aa29890957c4b149e070371a9e8183581
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqW:sxX7QnxrloE5dpUpIbVW

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe

Executes dropped EXE 2 IoCs

pid	Process
8	locaopti.exe
2304	xbodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAV\\xbodec.exe"	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxUA\\optiaec.exe"	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe
8	locaopti.exe
8	locaopti.exe
2304	xbodec.exe
2304	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 8	4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	88
PID 4280 wrote to memory of 8	4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	88
PID 4280 wrote to memory of 8	4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	88
PID 4280 wrote to memory of 2304	4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	90
PID 4280 wrote to memory of 2304	4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	90
PID 4280 wrote to memory of 2304	4280	920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe	90

C:\Users\Admin\AppData\Local\Temp\920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe
"C:\Users\Admin\AppData\Local\Temp\920a3ac11a4d2f5ec3c2b85e38cd6e1d669ddea3e9cd6ab3e020d8df69ecb8f4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\FilesAV\xbodec.exe
  C:\FilesAV\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesAV\xbodec.exe

Filesize
2.6MB

MD5
34d5ae9a6c5fe0d62c6a1a1c0a212b01

SHA1
bc1218362404534b64076f34ec95c68606f26847

SHA256
6c47d77ab2ce26c57d3219af6592f506868b046699e8df453a9cc91cd3a0ed16

SHA512
600583d147df99db22916629b0040805177545b91457d9c9f0ac7a3f153b91e5f70da46a8bcc7115d83f91588c729503d1084a5dc8902bf6a9e4a755f11a5c61

Download Submit
C:\GalaxUA\optiaec.exe

Filesize
2.6MB

MD5
e9360591b243dc8b505f711c694db6ee

SHA1
1b431a019603fc33d4f9653245223fa65aff4d9d

SHA256
644d9a2bce5ab73c108787d5e9f1e4a07065f122211db6839268e35ad144ba44

SHA512
99ed7d8e608cd1d2ff576de2a485c8111ffdda0595259078dadc6a0771f63b6bc9a83419e2045ae1d3837d15b80404add217e964cc318e90cce85e93d32ff699

Download Submit
C:\GalaxUA\optiaec.exe

Filesize
796KB

MD5
8ea477a00818c6c08924bb64c086f83f

SHA1
62568c24a9b3ddc2730c5397a7dc8149218efc87

SHA256
1a439521f1731771e0a853d092ed2fd08c56e244dbc7242dcdd3a5c727cee555

SHA512
397be3c763932ec8e743dd847f5010fc7f8ffd12820ca4b80286243353631fc4b5fd0aa7c86be8277ff8de1601068fff6202a67e8f33dad7f2753f671d4f696d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
b0eb7a4b029034e17c6a5b2dc758b9d0

SHA1
ecc737be30fefc1837a144c77ed63c1e5d2a1de9

SHA256
4c938d8857977b5d1ec9c9e321f3e90efd8f03c4c86fe9ff26bd5d07e435e834

SHA512
92acdd0003077e9f0eddb7fd6aeb64ee342f49388991c5a5c9db0f2196dbd199aaff90c122e30cdb531ea60f4803b88e9543c0495bc152037150d861dea2a9a2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
b196353071743974dbb8610634c8c9ef

SHA1
907f1e1d0e5f4ced8fad9633343fdeae8482dc37

SHA256
e5cf94095e95c548ad66639981ddc15b58952cd5937ead443680bc1df812452f

SHA512
02b5329cfff4e07a9b993ed5b6a260d1122e51f309d9c036b941690fe9e033c771d42b65e014f0d1e8afc7df825bb4565974e7c79e313e8102158b73350f245f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
5c3f00806bfb48bba3316ca19e0b8c45

SHA1
c7e41ca077456d1fa0f39595028acd153347123f

SHA256
c93bdfb38960380bd95134f130a1f1e456aed336604ef382df3df3107c7754f5

SHA512
442333c53903e38f230a69b916818dd6129da97e03617606151b6712f54efb7c9e546537af6754ebf8f92303832caaa58dc73d0f4e1d6035f76f18d59eafa494

Download Submit