1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe
Size

3.0MB
MD5

0b8b92814562763a5ec33fd578317fd4
SHA1

4f7e2cd15d395b26aa164c1fabaf9d05c90c4c1b
SHA256

1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457
SHA512

a1f8a010bfa22046d75ebff12a9cc4afb714b4c1c561582cb582e369330734b88ae95e353395dd152538e91b2897984a55877679ab9d5b41f44f8c81b81270f7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNX:sxX7QnxrloE5dpUp6bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	locxopti.exe
2604	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe
2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot66\\adobsys.exe"	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ64\\optialoc.exe"	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe
2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe
2308	locxopti.exe
2604	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2308	2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe	28
PID 2248 wrote to memory of 2308	2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe	28
PID 2248 wrote to memory of 2308	2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe	28
PID 2248 wrote to memory of 2308	2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe	28
PID 2248 wrote to memory of 2604	2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe	29
PID 2248 wrote to memory of 2604	2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe	29
PID 2248 wrote to memory of 2604	2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe	29
PID 2248 wrote to memory of 2604	2248	1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe	29

C:\Users\Admin\AppData\Local\Temp\1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe
"C:\Users\Admin\AppData\Local\Temp\1fb126dc1c8d21d24b44162cf6e845945485c5b753ef66b2071aa7142494c457.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\UserDot66\adobsys.exe
  C:\UserDot66\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ64\optialoc.exe

Filesize
64KB

MD5
1fe0d14acbae1f4503fe3c851d715a39

SHA1
6e9ecb695f2b07b82aa67f8a0c7c244f7baada13

SHA256
61af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574

SHA512
5bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583

Download Submit
C:\LabZ64\optialoc.exe

Filesize
3.0MB

MD5
60e3c1e1a9781e0df9f07fa59f226a93

SHA1
44d93df6a4e33d9faf7234427a1974dbed6cd57d

SHA256
07fc4b7018dbb659a876be170368473ace27c9625ea29e989b64a236de22c846

SHA512
9065885f961be35cea1837bd8cdabe9622edcb7437d722c1e7887d2fc16ffb4754c104af3ec18efdcc210abace3b51ad7a4654a3a15f5ba1b03efb236dc9a711

Download Submit
C:\UserDot66\adobsys.exe

Filesize
3.0MB

MD5
6edd9e52abe11a30ea9060c9b7a953a9

SHA1
7dfe159230cad2742cca956db3d33df3ac8fd8af

SHA256
1f94590d466cc60795834f2571119ac92c26a2d05ed961fec0367a4e26300aca

SHA512
9dc11d5c9ddefc48f0fa4b567a667360c790998cfc036a0d91d7140c5ae8b79892f69275d95bd2213d837776918a6ae2104a29a4fb72356a47fa205bfe4cbd1f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
4850537a66129863780014a808d47e16

SHA1
ff3499808c253ed337b732cc403d9c8425ebea9a

SHA256
552a2d0a7ae1305d055ef23c9d61247c25ec04067b324dfd2de7ee80f2f62048

SHA512
16fbceb05dbe962fb2c5134990f17829818d36ac0b2b8b30ebb1db68614b217b02026f44eacc737e35b5f25b9baa2da34eb052d96258c8416b9da0cbe84105fb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
4b12844e13d0e63fb74ae99b19b0a814

SHA1
edec932fc2359f5f253b7a782001a3e4e94d47c9

SHA256
b7f634b50e241873fcc95d620e14ca19db0dd2a9a7bb18e33cf8ac5d5727199a

SHA512
c3d3c57f9c0bc341d2ef309322942097cf8fc027593ba19a5ed0711dcbbe3559ca2fca0454897caefa3acf50114e776e1ecdbc3e23c4f0002f1b5198b0cee88a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.0MB

MD5
c30b9cb05719424d4954a39da4489f66

SHA1
c2cdd624c7c9f44da654b59acf8643be7b9281dd

SHA256
d8c318c925d20ba10740143f7fff9cf04cbb7bce68064f612195d0b728d20cb0

SHA512
0f6e8943b7d7d45e09c9d54cd8bada305c17efa48c9148ae9bb2c59e5d4f79e200f1ca639d0102d82a46f7c689b65c06d7268a8b74723d6babf7351f913a7ec0

Download Submit