4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 15:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
Size

3.0MB
MD5

2b58b1483d9593fdd4f7c349fae42c7e
SHA1

787dcd26c1583a11af44480a5b452809b91c0828
SHA256

4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0
SHA512

46d18f918afc982fc37ed092fe3f9d9504a075dba557bd896dddaaca68a1fbc628348855ad399e811fde1248b22813a69e8cd53eda4cdc35c8c4346b4bdad4a4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8:sxX7QnxrloE5dpUpsbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe

Executes dropped EXE 2 IoCs

pid	Process
2052	locxopti.exe
2636	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQ8\\devoptiloc.exe"	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJR\\boddevsys.exe"	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe
2052	locxopti.exe
2636	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2052	2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	28
PID 2656 wrote to memory of 2052	2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	28
PID 2656 wrote to memory of 2052	2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	28
PID 2656 wrote to memory of 2052	2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	28
PID 2656 wrote to memory of 2636	2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	29
PID 2656 wrote to memory of 2636	2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	29
PID 2656 wrote to memory of 2636	2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	29
PID 2656 wrote to memory of 2636	2656	4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe	29

C:\Users\Admin\AppData\Local\Temp\4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe
"C:\Users\Admin\AppData\Local\Temp\4c03190d656a8ea9dd4ca83e2ed1d5b924f4bb6a4e3785644a3b0e8f59a665e0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\FilesQ8\devoptiloc.exe
  C:\FilesQ8\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesQ8\devoptiloc.exe

Filesize
3.0MB

MD5
94275da9d388bf559679d869758e1606

SHA1
3cf64d47a6039d1275f0f9bdd8043c37838f7789

SHA256
5a202dcde0de9113a759922de64b491353db54836774e234f05420806ddf7673

SHA512
c528dc1d4cea1601188815a33951bf4717972aae9e6de8c80b3582f516c239b60dfd3d08b0dd557ad35e15ff2adcf455c3bb5a93333ea27047c94cbbae5091e4

Download Submit
C:\GalaxJR\boddevsys.exe

Filesize
1.2MB

MD5
211f25780a949ecc47fe103d46655355

SHA1
9e61828760283cbf311ef63c6da4b54bc8e38bf4

SHA256
03491075aed567421202b9da1912d5f0684570b8bfcfac389e16ecab234affe3

SHA512
425b07a8bcade19beb7d3eb2c68a5c38fac85217de4e8894bab479305438f7596b76f74008bde826ec59080a7a764188687505f6ff96e044ff9027820a3b495c

Download Submit
C:\GalaxJR\boddevsys.exe

Filesize
3.0MB

MD5
3fc8a6b137ea03457168df6b97d92cc9

SHA1
c209c31344a543d41daf8a54eb99b82763f8a276

SHA256
32c145479b74b3ed827fc7f68e339aec56a12a56ce9a4c4aa22bbb1dac2e5ee3

SHA512
7cea10cdc49c2ade27d4a2277d46edf1ccf83adb6bb25fe3d77a70eb9369ff610290490e1e91a4c195646de10810c79fcf9cd1fe50d85d7e1935184839252711

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
318f98591aea7b140648bfc6c985b864

SHA1
6527b946f31743e51f00f658f0e4da646e5c5ffe

SHA256
1472a0c512483a5d9e2504511a5beb56c1fc0ed113c6d4de90a9cd3193e9996b

SHA512
f95e46d6f86a15d62b86a3e73cd143ad6a02c2d780b21d16e9834b3c0d6b72c82beeb216c3d69703cf9435dad72b6b1c7ff8d57157c51f5359dd5f5dacc1fb3c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
9f959a4d7dfca273e99971887ba049de

SHA1
5278ce9f291a32940fc68dea74700ec7c92d5dff

SHA256
1f93a677f0865ee65bf811c07944f3d2e86a5e6b404aa5b8ae2db99de9e730f5

SHA512
bc247946ff534e476eaac97126e3b230de097822a0595b0f7ce0acd6a8b58e89b0cdea05d96105a7442bdeb90e1754f8e1847d3c8f8d252e7c1aff48fd6db79a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.0MB

MD5
65becb135293e64bb61943a04d4b3adc

SHA1
1f19b70cb40195cab2533ef2ee20dee901fb92c6

SHA256
9581732edc186ad1e289db9eaf8b56bd76ce7aea08ee10fb49b8a6551c99110d

SHA512
77ded52b0ce42fbbccd522a517c31705932de32209e6910c942288562fcaef72db1635e71873a75b31373268e868a3d0ab97daf9e0fcdb2d5a1d823fe945b6fb

Download Submit