f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe
Size

2.6MB
MD5

390e29af2b4614796e51b4c8fa0c6e4e
SHA1

c0b2484999903c36571889ad8a6f4ca0440c6909
SHA256

f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77
SHA512

a8e6f1cc61146cdddf8622b9fa9d186b0709209c9451d4e1a887d89860ffe8148cf916c1442bc59651cb47671d08466f936478b250dc5e350aa314e85e48061e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpub

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe

Executes dropped EXE 2 IoCs

pid	Process
2996	locxopti.exe
2636	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe
2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6Z\\adobloc.exe"	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIV\\boddevsys.exe"	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe
2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe
2996	locxopti.exe
2636	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2996	2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe	28
PID 2952 wrote to memory of 2996	2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe	28
PID 2952 wrote to memory of 2996	2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe	28
PID 2952 wrote to memory of 2996	2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe	28
PID 2952 wrote to memory of 2636	2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe	29
PID 2952 wrote to memory of 2636	2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe	29
PID 2952 wrote to memory of 2636	2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe	29
PID 2952 wrote to memory of 2636	2952	f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe	29

C:\Users\Admin\AppData\Local\Temp\f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe
"C:\Users\Admin\AppData\Local\Temp\f6aa24ee9bc6ce1cfef66cb1f9eb6a642f61d3bd2bcf39fa8cdc82d651c07a77.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Intelproc6Z\adobloc.exe
  C:\Intelproc6Z\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxIV\boddevsys.exe

Filesize
2.1MB

MD5
e8f1d78ba2b3ffb20d568a905e952dc9

SHA1
c56b11fef5a66ea58ac24ac28665f5fe289d2bd9

SHA256
050650d4b92fe7480ec511c28cdcb197921babf14c7913ce379deb20e113b56c

SHA512
21d740dc119845f80d0add49b05999c633b3eed716acb5cbecde906741cf40edc93b55e7e9cf0642bee79193996fab14ba8ecb89cd724e83e7bb54c4f6f04740

Download Submit
C:\GalaxIV\boddevsys.exe

Filesize
2.6MB

MD5
4c9ecdf1e45057ab28b79d6e1eef539d

SHA1
3c6f0ba388ecda93005bcce7564b81d74e5b7a0b

SHA256
1c66a0c47cd4bf2cf194fee66b2d50ae740b3d30f4ec90473d83cb9e35df743c

SHA512
2901b0e977c4b560bf441769a61e0dd1c59bd85502b4967d46af6f71f4dc16778e23809e630f988419a36c1bbc5c898b9e215be253e3857a070d30081970180d

Download Submit
C:\Intelproc6Z\adobloc.exe

Filesize
2.6MB

MD5
2f864d645a1cc750ee6f9962a4d4b2e4

SHA1
1ce2226b057fb1d574360e0affc4ba843b89732d

SHA256
4afd3aa8676578ce654efaf61c29b08f89ddb641df35c8c5aab7d7e34ac83fdf

SHA512
50dd44b853abb29f4948c5620a0325f554dcdaa4dd251388e8645b037d7897646194764e287da467bf900ed6255c8a3f871c6ccccd7f027404bc0dc31b01effc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
e85a2fc2782b28b5734ccd2d12e47c30

SHA1
80082d84203c16ad3aebcc4e73833d3bbdf3b007

SHA256
e90218d10f8eb23974a71ce91a280694a2fdab5dc155bbbb20a0cc369ed69173

SHA512
287b4afa90781b105f5036bb9d4b36e026ef72eb2764025f554031fbbd36d319c44df4522dcaacaad9bcd50fd938646f848d8b2e6180241dde2e33111e2eabc4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
b7f9f14d583f853ad055f0a6b7d4565d

SHA1
080f2543451363dbdc89db4b299bbfeb56d1eede

SHA256
31e967f33fdc2c4a77da1f4c6d036357813b969c7e5e936c3d4194db7b5985fa

SHA512
95d39b4243b26b1e32b9e588a689351e48eab136160444c68fda2d5d9e69d5224c8dceef7caf59987e34d222f28709b4e23f009f17d396f991aaffbedf475a78

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
1da42bebb1b1cb20ad5461e66f93141c

SHA1
ebfd97d4c9feef71f5ebd94e37dbaaf2af08966c

SHA256
df7abd3ca590cdbf87b58217c95c266b53d2d1940261eff5dc848a269d6b77e4

SHA512
34b34bff12af157172ed3e5a6b40b43379d7316e53bedfbf95a42a14f68366762ad2cb3ae11e722732a1a01f7187aba20852bffd5313b9db1210395aae4f9a43

Download Submit