ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
Size

3.0MB
MD5

77d94bc38db2cfd3259f5c6c2a253ebd
SHA1

6fa31ea6d8a4621e6a07747ccf0806c1dfd3a94a
SHA256

ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278
SHA512

62f8f1bc5c8e1c6729e36e8046724a61b4a7e6fb41b90539ef86d2f2cf080ac9826408609baf4c59fa74365b2d9c57021a8682af34bd5c231e0680900165c429
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8b6LNX:sxX7QnxrloE5dpUppbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe

Executes dropped EXE 2 IoCs

pid	Process
1072	locxbod.exe
3040	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK6\\devoptiec.exe"	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIC\\boddevec.exe"	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe
1072	locxbod.exe
3040	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1072	2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	28
PID 2240 wrote to memory of 1072	2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	28
PID 2240 wrote to memory of 1072	2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	28
PID 2240 wrote to memory of 1072	2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	28
PID 2240 wrote to memory of 3040	2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	29
PID 2240 wrote to memory of 3040	2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	29
PID 2240 wrote to memory of 3040	2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	29
PID 2240 wrote to memory of 3040	2240	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	29

C:\Users\Admin\AppData\Local\Temp\ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
"C:\Users\Admin\AppData\Local\Temp\ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\SysDrvK6\devoptiec.exe
  C:\SysDrvK6\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvK6\devoptiec.exe

Filesize
3.0MB

MD5
41f2123a0b7f7acee4138fec73c68433

SHA1
d09120bc9c7ab89b4eabd9163fea9b2f22f48a2b

SHA256
e95f3c73ca30425c17aa695d48d27a8a752398799e1cc7d4db527779785dbfd7

SHA512
ea2679fdbe13587e0e8bce19c54a830149e798c4cebd395621f2a38d1478ee59689007d661bbeeee63385dd06f7d83605febcd5d7ca9e6e2493447a86dc04aaf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
e32f34d70ba355ba3b1ea1af28e7feb2

SHA1
0c982185d277e6937a266c41176465008fe2d4fc

SHA256
819b2ab422259485d944b72c16f178a321ba1e6ec49c196e516a941d2497f177

SHA512
ba7b5992a83d2352b3a20a1639c017f228866c231ea8a5f522e019f0fc0c097729e3cf3a9a3f710863e4bd60725ae955f2c5a5fbe37390fc8a5e36933269529b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
c7859d3c4748af60571def4e8b45e0a6

SHA1
e461b961bae29f064fb566cda02ddd4887007871

SHA256
ae611599fdbffdb6b8981a8486173518dad23763c439dcbdfa7ce34e7a720bd0

SHA512
0d0e27bab03e5f6f82c3bc7ab2584836cec77cc0e96cf444471d52d064b70fad8bd6e538dc98b639287cdb03f40f6d9003a169a5e4c71a2f261e4393021ceca5

Download Submit
C:\VidIC\boddevec.exe

Filesize
1.3MB

MD5
7949c0629c25a72a12d3865576eb04cc

SHA1
1c007fd7cdc095db238029afd3130a6d8aa9ecbb

SHA256
43ef24f0edaaef3b9a39ac61880314c07b3ca7c7aec273927b5ce4c720135ff8

SHA512
ce194f64ea9749f7fee8e65729002f8b729e723b29a1d0c9b51e2cf5d7279abaf9333e141fc63757d5c79cf72cd69e10f742dcc1a8e8121e675774a2f705df15

Download Submit
C:\VidIC\boddevec.exe

Filesize
3.0MB

MD5
93985f019d8d71e0f0dce6f9cc8f5711

SHA1
f1705f58161bf5b18b2a9b2db829578ed33bf8e5

SHA256
7cdc8fc110db736c0af79017deb7d75b6fe40e79560a64903c571dad7c0c6601

SHA512
86652c22df7f3287b91eaa9be32622fcd40b681d4507c33dba6fb99da323d094cae1b556e904934380bf8b98c0eb9b587d580e3824c2c17265f141f8528809b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.0MB

MD5
43fff05d627e9133023c16f23fc7e42b

SHA1
874d030e673b695cacb76a81245b933d24e2c9f5

SHA256
fd3553d3aee5b17b28ddfd5f826065b68ebb207c88d0a9eeaeb29a866f7e9c81

SHA512
5b9808a8b0b6eb7113c0b8dde982055b9d1e5b716c0047a0de4b7b59a353f6d66b5af02d40766d8009c038b4d093cc89fbb21f67e1a0a174406d85959dc6568f

Download Submit