5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe
Size

3.2MB
MD5

787b51ae1a4ab8f0dff29a889af7a138
SHA1

f97d9e33eecf4a2b6069a2af301610ec737a6d2c
SHA256

5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4
SHA512

04523653d378c91758aead11d23a079a289115f133d23572925d20ad43aafd90480a6116d7a6ce6dd7b929e20fea9e3f01d948eb3e2c0c6a014cb79b219349de
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8b6LNXJqI20t1:sxX7QnxrloE5dpUpObVz8eLFczU

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	locxbod.exe
1620	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe
2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEI\\xoptiec.exe"	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ54\\bodaloc.exe"	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe
2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe
2940	locxbod.exe
1620	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2940	2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe	30
PID 2012 wrote to memory of 2940	2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe	30
PID 2012 wrote to memory of 2940	2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe	30
PID 2012 wrote to memory of 2940	2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe	30
PID 2012 wrote to memory of 1620	2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe	31
PID 2012 wrote to memory of 1620	2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe	31
PID 2012 wrote to memory of 1620	2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe	31
PID 2012 wrote to memory of 1620	2012	5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe	31

C:\Users\Admin\AppData\Local\Temp\5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe
"C:\Users\Admin\AppData\Local\Temp\5e1525939707875cd9be8244c63ae3419d964b0deddaa1a276ccce97926bcef4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\UserDotEI\xoptiec.exe
  C:\UserDotEI\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ54\bodaloc.exe

Filesize
3.2MB

MD5
2eec378007e9917c7f8efc47a136d004

SHA1
3a1cc4596ba45df40819763ef1bff2a2dde254e8

SHA256
0f6076f6b98bc01c4f4b5e5f091f27f199c3ca186fe43e6c4fcc7160fbfdf14b

SHA512
9760d766953473412d440965ddae5c0ba6406c415cb5215da9dfbf51ed328cdf1cbe1ec94b5ebdc6ede6b3ceb744151f99c9f315676afa0a9baa6db9f5bf3402

Download Submit
C:\LabZ54\bodaloc.exe

Filesize
3.2MB

MD5
272186cb773b9973df91b1e48db2a5ae

SHA1
2d62ef77b680e2b000633b245a1c055f269d5ccf

SHA256
d9e5a99764f77f69172e70d9c673df14703d4ee7fea405ee763b2b26b8e9ae1e

SHA512
7f260253314ec536588eb1cd7b8670c7657f868c8778b43a4d1471293db99f161fef8ba45f40c67a1f1c2d45a5e5b3630f0edd230b67e65732ea42460127f28f

Download Submit
C:\UserDotEI\xoptiec.exe

Filesize
3.2MB

MD5
855c0c4332629ffe0f5674f617b7cb92

SHA1
1cc5fc51e7db9c46fd2dfd1a74232e2961dd8b53

SHA256
24682bee476b923aa8778bcd348053c5653b1dabb3badfcdca95b77e8e30edf0

SHA512
351942b335ef2b7b8a55ad0cc7bea00364b74b381664b3a9dfc67307d83408f4c83ab0147c871b340b24ee9f905f28a483b6211b932fc665ce05474bfc42c395

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
2d13ad54db3186fb18750d5afa6dda59

SHA1
2eb754656ac428e75bcbae62295fa8552634b0cf

SHA256
6ac37b0b63bdc6767e9d8551f4db9d0b52864f43c2e9f25de3c744b0983466ed

SHA512
b7bfbd32b2719a5b5bf708d2b39d26d24f1c7ea276a8570ba36c6198175b776486550f5b8705cc15f2ef630e2bcd24624eff4050f4627d199e3759708f57bcf9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
d2f6502011722572353bff7cf5efd43c

SHA1
c0cad08c5300ca2bf6419c3f8856f9eecd741d90

SHA256
3f72aefe958cd7f8bafb3f7df199ecdab71800b8c539b50b06fe0e9e32d545a1

SHA512
4877980645557406dfec7ea06cb01c6d6c8bd31d5d0387da49bce908d697d049828c1ddb9c84072be7ea76e1901a16cf7ad81feae6ea0e88872631e06d2e9f5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.2MB

MD5
1a9becaac44904c458b92b54405d3799

SHA1
39ed610691b763ddd33cfa8ef65d0911dcbd9fb6

SHA256
a59985abd5c09efa2e5baec6ebb0bd73d25d6bcd6699242f1a45037631ed2435

SHA512
7e02862cee99ca81136d125365c68b3941a23ac60252a0b5c339b79858b403ed12dcf4bb868e0010207254514a88d61edbce93d461e8210e52d0ab6d307ca938

Download Submit