36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec

General

Target

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
Size

3.9MB
MD5

23e90af209709ce8901a4dd3433cf4b3
SHA1

6d59513c6a2601214cfe5dc0c144d52486b087c7
SHA256

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec
SHA512

9582c5e5ff76f17431dcb5e672b97fb1e661c6d10172a12cb88647253411e2ab3a974704b5e8977efabe9d1ad6f358095a4c9d5c4273874f27b77bcbff52e558
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpPbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

Executes dropped EXE 2 IoCs

Processes:

locxdob.exeaoptiec.exe

pid process

3000 locxdob.exe
2152 aoptiec.exe

pid	process
3000	locxdob.exe
2152	aoptiec.exe

Loads dropped DLL 2 IoCs

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

pid	process
2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGW\\aoptiec.exe"	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4S\\optidevloc.exe"	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exelocxdob.exeaoptiec.exe

pid	process
2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe
3000	locxdob.exe
2152	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

description	pid	process	target process
PID 2784 wrote to memory of 3000	2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	locxdob.exe
PID 2784 wrote to memory of 3000	2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	locxdob.exe
PID 2784 wrote to memory of 3000	2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	locxdob.exe
PID 2784 wrote to memory of 3000	2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	locxdob.exe
PID 2784 wrote to memory of 2152	2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	aoptiec.exe
PID 2784 wrote to memory of 2152	2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	aoptiec.exe
PID 2784 wrote to memory of 2152	2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	aoptiec.exe
PID 2784 wrote to memory of 2152	2784	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	aoptiec.exe

C:\Users\Admin\AppData\Local\Temp\36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
"C:\Users\Admin\AppData\Local\Temp\36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\FilesGW\aoptiec.exe
C:\FilesGW\aoptiec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2152

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesGW\aoptiec.exe
Filesize
3.9MB

MD5
6adf23a759c8f549fb3d34d861048ab7

SHA1
bd086b05fb6a9d4ea3624b0c7a9ca55128080c18

SHA256
44fe14226a8aeedfbf2d6029ed7a1e0185b2cc1830a88a2de444bfde73eea27f

SHA512
8376b67202c7c864e8ecdf090f74580885b18d7cf2528ae27e9a108c74a236b1a98107f841033befccb38b0a7dc6bafe1c2cb63ff8965866e589c856bd2db359

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
170B

MD5
28a13620d7d809ad03f25bfafd773b1b

SHA1
713277e8235dd48308506086a7c5e65bdc1e64f5

SHA256
55cf199c26737173e0f93fcded331715e020d5bc553d5cceb66582bed7e5441e

SHA512
15df3c2fc9b9327ee3f45fe9e89110ee5970e601853ea8e5bff4d7feaa60849d9d4e32d2ade855dc9960ada8f022bd7323059b5584939a6c348e7471d770c1d4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
202B

MD5
7d6d73bbaa464b1ca5fe023165f601cb

SHA1
857bc63b9520966b72589ff2e7e79703c6c8dc6d

SHA256
264fa0fd8c55c02adc3f21e146069dcb7b5b583ff5e86e1464f13b0fb358f8e0

SHA512
b6db71b43d53592aa80f07d420ea659b274551831a56f1b3c2fa83899659b146ef69fe357494265d2a34162cf197a210a296b1db8d980caaf2cd9dacc8f05a73

Download Submit
C:\Vid4S\optidevloc.exe
Filesize
3.9MB

MD5
1337c67086fee9dc0c4d2220fbe2ba14

SHA1
5c59604453808adb7cc39699a574cebde248d636

SHA256
fe3881ca47b1b6487e895d737c2999e9eb7455dde903bb26a30b02fe35cf38d3

SHA512
182348e10ed3e2e3e8ac5e366b01cdefb86b191e88c3785ae49c253558c6b2f206bb82586cf61055b9ed6531ad98d4d8967a6c3e51cccc44b78015ae597a0d40

Download Submit
C:\Vid4S\optidevloc.exe
Filesize
347KB

MD5
55cb62d3570d9c14df85fdb0d05033ef

SHA1
6015d174c4add6d30519966716be414ab8d2f82e

SHA256
b57e1982084df027d8ba593449ee93593c28c244c560c53ce85a7d6d99a23239

SHA512
c1ac80ff75ef04111e97771caeda5218a5d9b481bf52968b740978ff0a232ab8e7724c979155bca84ed3db8d4e263fd6cd9fb4799dfdd8dd61684438de7e4c16

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
Filesize
3.9MB

MD5
6bfa34f66cffe60c3ef7f2b4cf75cfcc

SHA1
379d5a3ecfe63115c9670d1d0571c282177817e2

SHA256
00b7bc9756a84bf5c99b700908da3bf34abb5a5a90642b58941fb0ae12091ddd

SHA512
3bd09f491c6aa608f604f670cfbb9373d93c86f63440ba22a7c31e71f02f752f4e18322c109551cc9cdb354a179e08c278192b855ec19b14a2b3beaecfe46f77

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads