5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30

General

Target

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
Size

3.9MB
MD5

cfd73c93a6339b5b973fa7d6180e3230
SHA1

1a3b7f6f9d10901264cb819b749d6ad759518f2c
SHA256

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30
SHA512

7b63c5113f61d58d09b192f116fbb034b7f4715103ec541e9a2ba1e781db79752ea5f3da44dbf8c9d0e76d19e637d1a883e98da1f39ab8228a31bd8d80f4a464
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUprbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

Executes dropped EXE 2 IoCs

Processes:

locxopti.exedevbodec.exe

pid process

3976 locxopti.exe
2548 devbodec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3976	locxopti.exe
2548	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot50\\devbodec.exe"	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYA\\dobxec.exe"	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exelocxopti.exedevbodec.exe

pid	process
3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe
3976	locxopti.exe
3976	locxopti.exe
2548	devbodec.exe
2548	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

description	pid	process	target process
PID 3712 wrote to memory of 3976	3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	locxopti.exe
PID 3712 wrote to memory of 3976	3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	locxopti.exe
PID 3712 wrote to memory of 3976	3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	locxopti.exe
PID 3712 wrote to memory of 2548	3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	devbodec.exe
PID 3712 wrote to memory of 2548	3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	devbodec.exe
PID 3712 wrote to memory of 2548	3712	5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe	devbodec.exe

C:\Users\Admin\AppData\Local\Temp\5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
"C:\Users\Admin\AppData\Local\Temp\5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\UserDot50\devbodec.exe
C:\UserDot50\devbodec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZYA\dobxec.exe

Filesize
3.9MB

MD5
3ce331efdec91b3019beb8bf30cd2e3d

SHA1
48ae1f31ed71bb20ee478673319057dad5ae6ac9

SHA256
54253fd5fa544034155a9f24831f731648346255a105002cc0bb8d704998778e

SHA512
f57260da15b63a634cb8907b3554ebd7531e474ff907f4788a2d0d3d8a14fbeffd2e0e41855083459ce281492bcdcd843e6119bd157115a4c1ffa4319378c73a

Download Submit
C:\LabZYA\dobxec.exe

Filesize
3.9MB

MD5
b48b2c532105f8fb96615f703ec50f58

SHA1
a542808cd7d8a6d433db72e5c40b988f4d0e6baa

SHA256
1bf59a1ccb0ad052b719034cf4c1d7813171614d7bfa80e23d51d79a3b239a01

SHA512
23af4404986e61594e6ca5a0ad38cc6b47cdc5afc049ae3ce324076691fe6be7e0eb68b2265f465e9cb667dc0f0e4e914eb910c9ab2a663bd9d112ccb094ee8d

Download Submit
C:\UserDot50\devbodec.exe

Filesize
841KB

MD5
54c6aeaec6cf82fddcff200ecf7a7d82

SHA1
b818c3edd863b25dc45251e175b647e94b452ae8

SHA256
3eccdec595528cc49c32b0af1198d1ce678872e362bd143bfabf5f7d047aee62

SHA512
1a6348fea89b85adb097bd198e7904730a78053013bfce150c47ffd0500fafb758c8b0ce7e97475daeed255d21453e16beadb18c25b57d1f7ea5d1b2e4331567

Download Submit
C:\UserDot50\devbodec.exe

Filesize
3.9MB

MD5
9be9f14f947d08854b6c0beab7989209

SHA1
1a192bdb5fee22f3d09e234c79211ab9f696ee8c

SHA256
272731c38d857c3f708dc3009d368cd98ecdb4851fad5b305419deaaa3aaec76

SHA512
54eaf968cc86e6bde72b9d70f75c124ebee1daff30f6de8709365cea86a03b61f4bde748453b08db2ed28e740ef385012e57fe543a14244ece1b2912a30559a5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
51463e48679e644d53fad14dc361891e

SHA1
ed237dc5e324034bcdf0201addda7619c572bc90

SHA256
2bd6ccdd752c56b12575cf150e6a7cf413fabea7efb3c53da32851318c2ba853

SHA512
9fd2e01b74a367f2a8c126296c7006125a68c093418f2bd0799c477f3ba65bee504dbaa4968b7596addcf5ce4a02fb7efa1436d436a150523a965caf038edb57

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
860e263a3f4e90e7a4a7ec09ab2972ca

SHA1
02997e030185c66058eabd95398bdd7ef8597797

SHA256
32fa9d907cf11d7f10d4b8d667d17a4a6d15cc653cf3b0dc58c202294b3ee8bf

SHA512
797eca9e9a1d0c43893ef41c8a311a059d57fcc65185df3fd7c041e997a80021973dd856291f83253310463764c2cad41e9935d43a92256a8f3d00818b5068ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.9MB

MD5
c1ef82db647448bad0a80b6d91a1dce8

SHA1
15873f7635f02bfab79b6c6c1124e3ca98a1092f

SHA256
234225235a37d03c0bc3841da46f0f934fde81a6f5d434bd0232bf8ce1e4fa82

SHA512
82b93b777f59d66c29d71987bf453dd655c9cf7763008914be0dae8d6355b0d9d200e2774bc52eb4397e60ba5f41c6b4b2e0bd0e6f929994fcecd970ef8dc897

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads