53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372

General

Target

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
Size

3.9MB
MD5

12b87875d1ebf8529283f50efe31a200
SHA1

ec99628ef9bb5125d2b1c0e467177adfcae7590c
SHA256

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372
SHA512

fe0d53cfa27e2051497e1821ccf8e4a496e9e3c99aede4a12794ce86f54f47231d360fabb1148966bdd56fa3cca623d6ac4dc18d2dc230182456d0339b416f61
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8:sxX7QnxrloE5dpUpBbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

Executes dropped EXE 2 IoCs

Processes:

locxopti.exedevoptisys.exe

pid process

4420 locxopti.exe
2584 devoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4420	locxopti.exe
2584	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9Q\\devoptisys.exe"	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCP\\dobdevec.exe"	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exelocxopti.exedevoptisys.exe

pid	process
368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe
4420	locxopti.exe
4420	locxopti.exe
2584	devoptisys.exe
2584	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

description	pid	process	target process
PID 368 wrote to memory of 4420	368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	locxopti.exe
PID 368 wrote to memory of 4420	368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	locxopti.exe
PID 368 wrote to memory of 4420	368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	locxopti.exe
PID 368 wrote to memory of 2584	368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	devoptisys.exe
PID 368 wrote to memory of 2584	368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	devoptisys.exe
PID 368 wrote to memory of 2584	368	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	devoptisys.exe

C:\Users\Admin\AppData\Local\Temp\53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
"C:\Users\Admin\AppData\Local\Temp\53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Intelproc9Q\devoptisys.exe
C:\Intelproc9Q\devoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc9Q\devoptisys.exe
Filesize
3.9MB

MD5
e587ef1c25f225d6dfa6f09a56b4f04b

SHA1
528f64bea65473e606a7431a8b4b834305a710c7

SHA256
51c28f50c32805b9be9c90bbf92ff6e78884ce52ae410d12858d34ccaa9db607

SHA512
7f613e3524ed2ed5a268576418510975f1d8b3fd9fab57e97b24508a35d9580488628634c2c8ccd489765da640b995d8e23349dcf00c7f755439affbd601a1f0

Download Submit
C:\KaVBCP\dobdevec.exe
Filesize
1.7MB

MD5
cdd97b53b5ff1c4c91ddadde33a72d19

SHA1
e874795b48a2225d7a2708576fd4d0606378c736

SHA256
438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

SHA512
e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

Download Submit
C:\KaVBCP\dobdevec.exe
Filesize
3.9MB

MD5
de22a8b496b2a01bca8b5073524ca337

SHA1
fb5a7aea6fed1d2c8f4219c74684f032cd4a854c

SHA256
60b31234b5c5b9c77eb660ed94b98cf78b60fc56b5a177ef786edfe309fe7c73

SHA512
80d3f86389b642090a55b6a79d3d6ad9af828396bd3bd62d504744914090ab992b05ad5f1438d212b4083825db291bac0ee8088fc3630ecabb701174a77d2797

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
209B

MD5
37830a217fa945dc0fe53e1192b82c82

SHA1
5fe21ab32caa9b57bf9b81e4641aa92219cd9d87

SHA256
3d152e9f92deca315a1d45e73a69e1ed7aafceab44b57342c7f926844d44d86e

SHA512
ea3f6a006e8bde9729531b5722a387513bb94d62fadb7f370ee8c9db4483b32a1dcd2e3912f5fc30205252f24e57fba1eaf8f33d940b72be5f4df61cd05cd02e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
177B

MD5
7ba72feaa2bb6b4b08be2d5d9dea66eb

SHA1
b10c510c17d04d749a3f31c66adaeef9587062da

SHA256
52c5de9676d039335d685a11c723c76bcbc1451d49ec325dfd2bcf87e08dac57

SHA512
d114a2c0600b1c72852355958bb2a2e8c6cc4cca4d4a17c89432960b8f4f991f3196e06afd8790ebcc64e4f37c28857b39a16d88e61130afe2f5be5f82994435

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
Filesize
3.9MB

MD5
0db41b7b18a0395f6d4e624a2e5630aa

SHA1
bae58bf2e31a2fa43c66a8a076478420bec9741b

SHA256
1964ff52e6da8cb0c30719ec9e783b5563ba550396ae1b414bf51d6c4f9bbb9e

SHA512
5b422dc46e3f4d11fdf06e2f67851e2f3cc5fbb992426d61ea3ab9831a6c7d1e597b9e55631d6025b4fbbe3a7937007fc206ef5727adbcc8eb1e292dbc7137e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads