2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8e

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
Size

2.6MB
MD5

8a2de1a619b66fb9813a0e8f2a310a60
SHA1

5822dfc297539ff9f2f6ed305167296cac803000
SHA256

2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8e
SHA512

52964fc7ff81c1fa2b3143b9effb09e62c66b36265ecbdd5a71643c1882164859549341bfcf88e91d0713d656a38e668908ae6437675e3290355fd33b08e0f68
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSq:sxX7QnxrloE5dpUpJbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe

Executes dropped EXE 2 IoCs

pid	Process
2248	sysxopti.exe
2236	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc94\\xoptiloc.exe"	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU4\\bodaloc.exe"	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe
2248	sysxopti.exe
2236	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2248	2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	30
PID 2828 wrote to memory of 2248	2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	30
PID 2828 wrote to memory of 2248	2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	30
PID 2828 wrote to memory of 2248	2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	30
PID 2828 wrote to memory of 2236	2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	31
PID 2828 wrote to memory of 2236	2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	31
PID 2828 wrote to memory of 2236	2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	31
PID 2828 wrote to memory of 2236	2828	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	31

C:\Users\Admin\AppData\Local\Temp\2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
"C:\Users\Admin\AppData\Local\Temp\2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Intelproc94\xoptiloc.exe
  C:\Intelproc94\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc94\xoptiloc.exe

Filesize
2.6MB

MD5
9b18dd61c9bd23593e1219eea4ee8dae

SHA1
8a4a53a9793dbcfe8855c0be627b9e13a6201ead

SHA256
99ea5a8ec484f39a4d60c156ee0bfca93d1b9a65a34ef014ba08e4cac0ddd4bc

SHA512
f704395be4ca52e40daea41893305c7ad6dec56b77c2a27f97898661a58843fe3ae274e67f35a1db61865f37e13a8986646c435288ea4c5bf03315d268fbb4ef

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
67b8ab8fd5b0a8c8406b4865bdf3a2e4

SHA1
5ca58fd77e2f06bd92c1c3fb88d8a22e1ea894cc

SHA256
eae27cd186dc5f283d83e70cbe14851939541338ed15b890bb34304651d1a9d5

SHA512
1ad7ac6430500fc6a9d05109a6567508afd116cf5b1e516ba1c745f8371cbb9362264691951c40526c6eae4cd6a02310be92ed8f1f211570cebfdf13832e1c97

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
3c206a4ddf8914dfcb77b71690497daa

SHA1
89a03109860b35d24434c2aff48e8d678ffadd5e

SHA256
b997de936d1faba9460f183309e9d37e12f8dee05fb05856e95a445d47f2e2a2

SHA512
71bbe26cc6c1a005f51c9c7cd5f418427784600ffe198a4366f47fdd56d1299e03f1a1ec896bcf8c51139ddb545c70258971e0e169739868533eca299ce3d717

Download Submit
C:\VidU4\bodaloc.exe

Filesize
2.6MB

MD5
e1cf1460db6aab0555bebb34832f3bb9

SHA1
3d22d97175b3ec086998d2fcf8058dbcab139491

SHA256
5077a5fd6cf6a126a0cbccef5e9561968ca1e7b6860dfc973de4e0c14ee1d8ee

SHA512
f5657aac73bb67e3efb51937c817d0a2785d57bd01c3abc9801442853a369b2aed3822062fa5abe36c37713955d6caeb7f68641332324c57783f8c6c1833fd89

Download Submit
C:\VidU4\bodaloc.exe

Filesize
2.6MB

MD5
6c5eb08d5751fefb12eed171b1bf1aa7

SHA1
b40a2607f79c1efe498da343129a529645531165

SHA256
cb472625949c3750688e8ba8af46dc17201a2ecc217f73be57fa5b32cd23ce20

SHA512
7b0b3da4d14892bf0fdf5fe938cf9d45e39848ff80fc5908499dbb7b7523519f28b3e9e481b918c27a9e336c9f6a5bdd2e1251110d86bd08baa7a766303137f9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
be9efe81d5159a696eea56127af5f9a7

SHA1
50acbe321ee9fbbf789fddd8170158884bc6e962

SHA256
a0db65d92ca7e7246abd6e8b6c8e24b0b8b59933042a074b2aa65a35b2ac8d04

SHA512
3fa36cda181351995e41c530598e0e242a4f7830742817884499dea76b4477d53e7a4c721a62df51d80cc9fa23c40e89c9f6058b5a0b1cb9c205082bd2e74a74

Download Submit