a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe
Size

3.2MB
MD5

b48eba860a9a1c3c0d4ea9ba20a45e1f
SHA1

6c5e463eb850f26301f8c1f881b4449966389c06
SHA256

a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03
SHA512

62f4aacaaaeb2f6788c142b8861c0929b1b8a9dba3888e3505224966a036b91d6ea13955259ed1fd85ca9802d07f9efe162b8bb9d258946d2160d24072bdd900
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz:sxX7QnxrloE5dpUphbVz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe

Executes dropped EXE 2 IoCs

pid	Process
2264	locdevdob.exe
2140	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe
1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKO\\xoptiloc.exe"	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCS\\optixsys.exe"	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe
1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe
2264	locdevdob.exe
2140	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2264	1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe	28
PID 1756 wrote to memory of 2264	1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe	28
PID 1756 wrote to memory of 2264	1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe	28
PID 1756 wrote to memory of 2264	1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe	28
PID 1756 wrote to memory of 2140	1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe	29
PID 1756 wrote to memory of 2140	1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe	29
PID 1756 wrote to memory of 2140	1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe	29
PID 1756 wrote to memory of 2140	1756	a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe	29

C:\Users\Admin\AppData\Local\Temp\a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe
"C:\Users\Admin\AppData\Local\Temp\a1b6cbb88c1136c085e0e27375c5249572028a3fdccff0f7f08b3f808c397a03.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- C:\FilesKO\xoptiloc.exe
  C:\FilesKO\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKO\xoptiloc.exe

Filesize
3.2MB

MD5
ac0bbdf34002ec575b6896285da1d626

SHA1
742786376f69f82928eb90a9026b4da210009dea

SHA256
bd8d71d65d8346f0b5bf4b060cbac640556af551608099aa9fcda2d634b052fe

SHA512
5a89b503baa61fc9151e5d29761a2631ac081283e3a1c03c56cfedbdfd4bb536dcc45712c2646770fece2e8efe8f307057134b796d723b427eb1fcf73b9332bc

Download Submit
C:\MintCS\optixsys.exe

Filesize
896KB

MD5
ecdff8b5d350ea77023b757b2e1f7bfe

SHA1
4f3b52658bab4ef7b63b4187613263c67270b9e7

SHA256
1494a0e0c08d9846b7496dc009cc357611448afbde0eb022a2c71389630d0146

SHA512
c475a563a6bbd83bfb039bbd8448547e70b781730c4718c2e88868bbb4d6c7f45034c50a471b5269ea1835b3756e58e4898fa2b4c7e67aaa8c87a9e2e3de7388

Download Submit
C:\MintCS\optixsys.exe

Filesize
3.2MB

MD5
e1a6c25c1157fdd469c580101b105183

SHA1
0540a64800700606bd31383b2fcd3f39b8e67940

SHA256
3e5de712acf62499d454ce1a3570d91881ee7ec2b40ecc07212fe679e60dfe53

SHA512
5bb09760fb913fbc800945de099ca07b57253453fc31599657b4732348057ef19f746459af5346987fefd66c74912bbabf8772de8692924f1673009e17274fd1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
f4f7d6c0d7f34dc1c2b3e65384ea8348

SHA1
2bee69b9e8f79375a39682c671febd20efb904f9

SHA256
5e4cbc522d65c75c4f2d40d11d466cf801a096f46dee4914a6647f3a87243e8f

SHA512
6ef873fbc507027cb191d649a1601fce24196ce88268d26c21983958e379a2d6b2e11fbde256646b863271ec9bcc8ed6ceaac9991d23a6152b5adfb38aa9486b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
aa8f9a39afe72acb867df751d59c7439

SHA1
1fba162d600b06cafca422e0516dbbfa3ac8bcba

SHA256
7eba1a886f23f34f7f15f7cd17622bd2ce6fc90acf9cec7eed2cc3684396efa2

SHA512
f2fb5a9cb3e9067b685849e20da5a788f3320a0be210c7c6df9f5f1b760be13071fb4e104b6cd49e9ea5032332ef7316c68f5136dd421ab89d4e1cc759b0b3ca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.2MB

MD5
12e923324b4f4ec14e6bd36111522f07

SHA1
b59c8dfa1440ce3736b9361cb327b2a70094e4b0

SHA256
c77d6b5b440d81b76d0711f317cdb5145827af59149d8b3b9daf0559650f3825

SHA512
5d53b2533f0ff7cdee19ce2001f963f9166349c4ceaf0c2d4c7e71c1547d3b5ff64c881677012df82daeaf834b82639a6e66921a4ef413998bc6808e5a2779d9

Download Submit