56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
Size

3.6MB
MD5

813969ce4839a1f38c8ab3712a7c1920
SHA1

eda45ba1c18cc53d6c3dab7d3a1d05af1288726f
SHA256

56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8
SHA512

8157882a2d7ae3d7b7a27f96a3847f37d78d09d9c3df784d781f1065eddb9aca1a759bbb8875c196ce2b694ae4e839317e7d6571c8ff942e67ade498b5e5d1fd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8:sxX7QnxrloE5dpUpwbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	locaopti.exe
1632	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAM\\devoptiec.exe"	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidKX\\boddevloc.exe"	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe
3064	locaopti.exe
1632	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 3064	2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	28
PID 2152 wrote to memory of 3064	2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	28
PID 2152 wrote to memory of 3064	2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	28
PID 2152 wrote to memory of 3064	2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	28
PID 2152 wrote to memory of 1632	2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	29
PID 2152 wrote to memory of 1632	2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	29
PID 2152 wrote to memory of 1632	2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	29
PID 2152 wrote to memory of 1632	2152	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	29

C:\Users\Admin\AppData\Local\Temp\56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
"C:\Users\Admin\AppData\Local\Temp\56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\IntelprocAM\devoptiec.exe
  C:\IntelprocAM\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocAM\devoptiec.exe

Filesize
3.6MB

MD5
b0f36d9b96e9d7d187157eb9ea097c89

SHA1
beb39f789bea01c49c979b82644ef41273f609c8

SHA256
b44048408d573415a1e7268d7acc655fd6ef0a5b2ac153729e1ee899f84be3ad

SHA512
4e7395b4bccb6508ed31ddde111153422294d286df0461ede2f039982cf5ab84c1092a48fde1e9f98b6bcb409da89042afa3b6f8519a300016caa7b7c7435c28

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
50c7161bbd7d98ed9ac114b45817dace

SHA1
806ad2b1858760ac94f2a4f34161905ba8af4d81

SHA256
5908ccc42ab54349d00d86db9c99f18d60f70198a9bcc4ff7c0a6011d343f090

SHA512
6a0cad1bb03f56d9c59ab7f3ba6b9c81b2227db05ad2039de8d4430f5b3287ce5986e1fd35a1a64d4f43ee6af4ffb5cc270b5b5d4bdfce21ab1b350b4382f620

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
30bc916b7e0f2f32e69dfb92a890c97c

SHA1
64c346618502cd122633b44cd85a4d028fdd6a8a

SHA256
182c2ab1c56f753165fd947d988f01e9f0e301cf879f3b77f92b42462420dc03

SHA512
94cf43b3db66a18bbe394a4236f80c1c683e4aedc85d716745cf88c7687a7f98323c725d3ca0c5dce9af9b746137900164e2b77e51068995028d145dce8d1a6f

Download Submit
C:\VidKX\boddevloc.exe

Filesize
3.6MB

MD5
d4efe9eeb403be8da8229936df0ba0ad

SHA1
2ecc1be777df9161578fc13d4d1911ebc375fb2d

SHA256
4c8406a6c31dff0d9426f798254ad0ffe9711486d717cdf869d5bbd2d356c011

SHA512
2d9263592c334eee34e1a44dd765ddfe25b09a68e573800a72fbad8a8379473bb60aab0fa10c3b70f3778033928be31d5b28173046b43976e4d45bf144fc5cb0

Download Submit
C:\VidKX\boddevloc.exe

Filesize
3.6MB

MD5
3c6f5c3ebcbce1cecfc03b5b0b66067a

SHA1
65417d25f8c5d432454d4ead5df7d01ca65e2f35

SHA256
855f8574bfcf19a44d47f039c742445243defe3cfee35d0de9a7c1b2f31c1e6d

SHA512
29182ba1c74f9db9a47a69ea2a5a1e6244757bf413fca67ebe11883c388cffa924ed51b236de2c104bae8676b248a08b5790185468d763b9beae6587ac94fdfb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.6MB

MD5
4d9366739ed270d044f26cea8dd9d584

SHA1
cc6931a01e2a242c191b895adc81738741b33ba8

SHA256
5a5f52aab72876957912f3f3e4f2ff8d6ab21307ce912cb5bb24a84c4f2dd138

SHA512
e92cd92452cfaf20b78804a1f7c79b2d4801f5c8bf3c7872e51a97564554a42f52eb567752c00906bfe7a462a364b5b629e379bd2ed8fc9b6a51362231f8190e

Download Submit