0ed0943a8443c307acfb85e0782da36b408677dd3d30ac86313b5d2337844497

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acdbe39c6227798d30507a645056fb9f_JC.exe
Size

4.1MB
MD5

acdbe39c6227798d30507a645056fb9f
SHA1

b78c7549ab188a3a6c15e367747c645156538da5
SHA256

0ed0943a8443c307acfb85e0782da36b408677dd3d30ac86313b5d2337844497
SHA512

9a296f931d145c92b983faa160ede40f550a46457393bab0a184ff06ab966853b4f2d165014a407c16187d414c27441ef4748c92ebb8ba57a8b2ac51e0d9354f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSqz8:sxX7QnxrloE5dpUpWbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	acdbe39c6227798d30507a645056fb9f_JC.exe

Executes dropped EXE 3 IoCs

pid	Process
1752	locaopti.exe
2884	devdobec.exe
5084	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZQ\\devdobec.exe"	acdbe39c6227798d30507a645056fb9f_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRO\\dobaec.exe"	acdbe39c6227798d30507a645056fb9f_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	acdbe39c6227798d30507a645056fb9f_JC.exe
2232	acdbe39c6227798d30507a645056fb9f_JC.exe
2232	acdbe39c6227798d30507a645056fb9f_JC.exe
2232	acdbe39c6227798d30507a645056fb9f_JC.exe
1752	locaopti.exe
1752	locaopti.exe
1752	locaopti.exe
1752	locaopti.exe
2884	devdobec.exe
2884	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe
5084	devdobec.exe
5084	devdobec.exe
1752	locaopti.exe
1752	locaopti.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1752	2232	acdbe39c6227798d30507a645056fb9f_JC.exe	84
PID 2232 wrote to memory of 1752	2232	acdbe39c6227798d30507a645056fb9f_JC.exe	84
PID 2232 wrote to memory of 1752	2232	acdbe39c6227798d30507a645056fb9f_JC.exe	84
PID 1752 wrote to memory of 2884	1752	locaopti.exe	88
PID 1752 wrote to memory of 2884	1752	locaopti.exe	88
PID 1752 wrote to memory of 2884	1752	locaopti.exe	88
PID 2232 wrote to memory of 5084	2232	acdbe39c6227798d30507a645056fb9f_JC.exe	89
PID 2232 wrote to memory of 5084	2232	acdbe39c6227798d30507a645056fb9f_JC.exe	89
PID 2232 wrote to memory of 5084	2232	acdbe39c6227798d30507a645056fb9f_JC.exe	89

C:\Users\Admin\AppData\Local\Temp\acdbe39c6227798d30507a645056fb9f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\acdbe39c6227798d30507a645056fb9f_JC.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\IntelprocZQ\devdobec.exe
    C:\IntelprocZQ\devdobec.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2884
- C:\IntelprocZQ\devdobec.exe
  C:\IntelprocZQ\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZQ\devdobec.exe

Filesize
4.1MB

MD5
d599f6aead0288b13e09b64cf51fdfc0

SHA1
5d33541a7780703b31cd2c8cb0cfd59dd96e27f5

SHA256
d5d4cf0dbd8387cb78be2000e0b8d9ca667c1d5b76027c76e20e618987667820

SHA512
fdae2c501e20be0bbc77dc8de7be25b8603ec8dd834a92c20b061f8fdd6f9f33f557a494c5a62adecaade09cd52315b7dc7da11c33de224de6bb42648d6af855

Download Submit
C:\IntelprocZQ\devdobec.exe

Filesize
4.1MB

MD5
d599f6aead0288b13e09b64cf51fdfc0

SHA1
5d33541a7780703b31cd2c8cb0cfd59dd96e27f5

SHA256
d5d4cf0dbd8387cb78be2000e0b8d9ca667c1d5b76027c76e20e618987667820

SHA512
fdae2c501e20be0bbc77dc8de7be25b8603ec8dd834a92c20b061f8fdd6f9f33f557a494c5a62adecaade09cd52315b7dc7da11c33de224de6bb42648d6af855

Download Submit
C:\IntelprocZQ\devdobec.exe

Filesize
4.1MB

MD5
d599f6aead0288b13e09b64cf51fdfc0

SHA1
5d33541a7780703b31cd2c8cb0cfd59dd96e27f5

SHA256
d5d4cf0dbd8387cb78be2000e0b8d9ca667c1d5b76027c76e20e618987667820

SHA512
fdae2c501e20be0bbc77dc8de7be25b8603ec8dd834a92c20b061f8fdd6f9f33f557a494c5a62adecaade09cd52315b7dc7da11c33de224de6bb42648d6af855

Download Submit
C:\IntelprocZQ\devdobec.exe

Filesize
4.1MB

MD5
d599f6aead0288b13e09b64cf51fdfc0

SHA1
5d33541a7780703b31cd2c8cb0cfd59dd96e27f5

SHA256
d5d4cf0dbd8387cb78be2000e0b8d9ca667c1d5b76027c76e20e618987667820

SHA512
fdae2c501e20be0bbc77dc8de7be25b8603ec8dd834a92c20b061f8fdd6f9f33f557a494c5a62adecaade09cd52315b7dc7da11c33de224de6bb42648d6af855

Download Submit
C:\IntelprocZQ\devdobec.exe

Filesize
4.1MB

MD5
d599f6aead0288b13e09b64cf51fdfc0

SHA1
5d33541a7780703b31cd2c8cb0cfd59dd96e27f5

SHA256
d5d4cf0dbd8387cb78be2000e0b8d9ca667c1d5b76027c76e20e618987667820

SHA512
fdae2c501e20be0bbc77dc8de7be25b8603ec8dd834a92c20b061f8fdd6f9f33f557a494c5a62adecaade09cd52315b7dc7da11c33de224de6bb42648d6af855

Download Submit
C:\LabZRO\dobaec.exe

Filesize
431KB

MD5
93fc5560d5b766705fcdb6a398ded10b

SHA1
1cce71b330cd0c8182599673b8ce0960783a1d92

SHA256
8e3594bdb7c4f1979ca5dc33a1caac4df5d40847325d04074d09fa74cc42f40d

SHA512
92a1cf889d970df6802bd63b0495eda0266d4164f79b2bb4ee4acb31b55bbe841661479e357b86362ca6ed65503972953b5e98e689d067640ce4ffb779751a53

Download Submit
C:\LabZRO\dobaec.exe

Filesize
4.1MB

MD5
b85f6edeb7e7932e5700e234e3f4c782

SHA1
a81d5f63adace943c67b129c893d773bd003788d

SHA256
8051b8fb26dc8f1b840989acea1914885cadde72551dab2f16b0d556176b68a0

SHA512
ff6edb0f60939db07540c6d645a03500ca9ab0c51ba76dc44815e4b8e30ea3701cf51594eae57c2c3dc97eefbde81a3a2942f0a047c060fcb6cc88d4f62c380f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
77dc6069c567a0a6e94e9f83e77be46a

SHA1
43be0f3a04fc70ad0e60e4d2403664f0c24f16ef

SHA256
8dbec8b7b140b3e1ca293a5cd422e659c76fa44d0b826048b2c75f3df61a3786

SHA512
bb4644ac230c9b6a5963e59d0c56bac13cdf9627f706ad5968c34b1e9ff126c506153d02332caf4dd16e16e8e2ee1d76902b79ce58b58a9de56d0752f9a817b7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
ecb408c878775888a141f0293158ae53

SHA1
f22511adcdb88d0663019dcc13e5279e17549273

SHA256
4f3f8be1c5daaa34503ba0fdbfd88ed0bb61a5be56e93c98f27b542b69258981

SHA512
9a6334ba93e3fab219cdcd2dfdc9300e9ccfc79e58c3d0fa4f84e009f43de235208a1fefbc965d3c3f24014e792d85265bc4444796153f2cf88bc416f1ae7021

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
4.1MB

MD5
9c18ebd4767753933eeca31dc4e73a0f

SHA1
660fe495f641325c601303a801d13280bbea323a

SHA256
83537db6f47f5cfd0a4449ef45f65e85df16015a943b9a10c62479d6d17c4eb0

SHA512
d43a96521bd2cb6b1e780d5fad0721f4e317cf72f0c34b8450109d6f7b0d16fe465fdb62eabf504fc7bc93e82de4a1313283056cfc3013dd43838ba0ecc66805

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
4.1MB

MD5
9c18ebd4767753933eeca31dc4e73a0f

SHA1
660fe495f641325c601303a801d13280bbea323a

SHA256
83537db6f47f5cfd0a4449ef45f65e85df16015a943b9a10c62479d6d17c4eb0

SHA512
d43a96521bd2cb6b1e780d5fad0721f4e317cf72f0c34b8450109d6f7b0d16fe465fdb62eabf504fc7bc93e82de4a1313283056cfc3013dd43838ba0ecc66805

Download Submit