a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156

General

Target

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
Size

3.1MB
MD5

10b20e46c3cea4e5430150391ed0afe0
SHA1

d64f8ba7201d52582c1bd6dda7f8b33b141f3746
SHA256

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156
SHA512

471fa1e717717a6626800e5dc4c7d9e1290a186dc1ff76c23dcf68ea71e6d6558c9954a909817e5d16315aea6b75a0a65d5e4038ae882a811d2298516a83421a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp7bVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

Executes dropped EXE 2 IoCs

Processes:

locxopti.exedevbodec.exe

pid process

2608 locxopti.exe
2328 devbodec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2608	locxopti.exe
2328	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot50\\devbodec.exe"	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYA\\dobxec.exe"	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exelocxopti.exedevbodec.exe

pid	process
1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe
2608	locxopti.exe
2608	locxopti.exe
2328	devbodec.exe
2328	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

description	pid	process	target process
PID 1728 wrote to memory of 2608	1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	locxopti.exe
PID 1728 wrote to memory of 2608	1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	locxopti.exe
PID 1728 wrote to memory of 2608	1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	locxopti.exe
PID 1728 wrote to memory of 2328	1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	devbodec.exe
PID 1728 wrote to memory of 2328	1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	devbodec.exe
PID 1728 wrote to memory of 2328	1728	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	devbodec.exe

C:\Users\Admin\AppData\Local\Temp\a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
"C:\Users\Admin\AppData\Local\Temp\a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\UserDot50\devbodec.exe
C:\UserDot50\devbodec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZYA\dobxec.exe

Filesize
1.8MB

MD5
94dea82fe4098cb6a43e9160e2b792c7

SHA1
3a32f2909eaaff1e90810df6e31450e23083a425

SHA256
7923f72f9a6dde83fb7c6a5eddbf7899e38f86064cde480958c94f61dd2e3a89

SHA512
7cbccec3b6cd0e259e7432466e4ca91aac7b22aa588ab6faece2e4ff0f77b779bcdb5c6dd70e28dd18f9071a2f08757e045d1edca46ce8e95351b58000a9e494

Download Submit
C:\LabZYA\dobxec.exe

Filesize
492KB

MD5
e1d89a09418de9488fd11649f7db6089

SHA1
19e0d91af304c20c456c712eff2b8cbda06becea

SHA256
10345aee9159f6cdb4faec035fcb1dd2cb4069bee75797153ed32542955d60a8

SHA512
effaf0a33ea3f2016fa2fc4a37435a6955e8b8d3cd19e205d2e7deabcdd1f58c7bb4c500dfe8168ea0af80923c787caa96ccafcd7a9ce7b05479e390850bbb4b

Download Submit
C:\UserDot50\devbodec.exe

Filesize
3.1MB

MD5
5b428bba725cbb481941e88797f66d24

SHA1
cb8a57ae902788614b1a64c7c0d3e3b9ab9d034e

SHA256
e58e1b3dad98d937d96a2d8aaf1d9bc490c5cfa22cd4fdf55a0af582e5151dbe

SHA512
106cc3dba7bba81088f5931e92ee0512da75f5e649a910d79352f42a0a14af528bd5e79343a862dee558ec67ce8fdaf6dd271988600894a8604b78a5de323e40

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
51463e48679e644d53fad14dc361891e

SHA1
ed237dc5e324034bcdf0201addda7619c572bc90

SHA256
2bd6ccdd752c56b12575cf150e6a7cf413fabea7efb3c53da32851318c2ba853

SHA512
9fd2e01b74a367f2a8c126296c7006125a68c093418f2bd0799c477f3ba65bee504dbaa4968b7596addcf5ce4a02fb7efa1436d436a150523a965caf038edb57

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
860e263a3f4e90e7a4a7ec09ab2972ca

SHA1
02997e030185c66058eabd95398bdd7ef8597797

SHA256
32fa9d907cf11d7f10d4b8d667d17a4a6d15cc653cf3b0dc58c202294b3ee8bf

SHA512
797eca9e9a1d0c43893ef41c8a311a059d57fcc65185df3fd7c041e997a80021973dd856291f83253310463764c2cad41e9935d43a92256a8f3d00818b5068ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.1MB

MD5
5f687397d9f553b9556a95adaef75a15

SHA1
348f4889f6d511115bda1680f2ee1b9c47067d7e

SHA256
3546322ae681e2540c61b19b539f0c672b5d9c68c10c96e7cb73dee1c5db49f7

SHA512
d66fa55b9ee1fbe161e499b36868355970f39b9bd3cfb6e915d33742454c0d54b0567e467f5ed339bad9b00851022a69a5f159beea0cd7902e4fa0fea44e873c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads