Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:48
Static task
static1
Behavioral task
behavioral1
Sample
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
Resource
win10v2004-20240508-en
General
-
Target
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
-
Size
2.6MB
-
MD5
70e4a479abe061eef8ae8a00438c0e26
-
SHA1
8e44b2b251cde8581f0bceffd66a5cc2d7e785be
-
SHA256
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f
-
SHA512
b57b61d6a477705f50b441c63924c5c76ec08279afa6df18f524f70f0b614f56b3ca1448f20bafe59717db55a6aaa5d92990231cba9713c86e7c97e72c12e33e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpSb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe -
Executes dropped EXE 2 IoCs
Processes:
locxopti.exedevbodsys.exepid Process 1548 locxopti.exe 5028 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxWQ\\dobxsys.exe" fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1L\\devbodsys.exe" fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exelocxopti.exedevbodsys.exepid Process 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe 1548 locxopti.exe 1548 locxopti.exe 5028 devbodsys.exe 5028 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exedescription pid Process procid_target PID 3236 wrote to memory of 1548 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 86 PID 3236 wrote to memory of 1548 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 86 PID 3236 wrote to memory of 1548 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 86 PID 3236 wrote to memory of 5028 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 90 PID 3236 wrote to memory of 5028 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 90 PID 3236 wrote to memory of 5028 3236 fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe"C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1548
-
-
C:\SysDrv1L\devbodsys.exeC:\SysDrv1L\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ca27d44cd5d4736c047eba3e92d9fdb7
SHA12ecdc11965fdb7e273d47ee17cc5be439725c28c
SHA2565ede62ec56b6f7ea781e4c128db6d8cc8abfbb97a2535ca9af953b96ca2cb888
SHA5129eece0d9d402965acb60af7a917ec2148355261b1568a9d6b2b3e4f8bcc0552a353e655b5bf24f8757dd6c64cacc9177cb903bd821cc0596c1aa1adb225f3343
-
Filesize
2.6MB
MD5ad1d01504adfbf03d536e50e9aba7882
SHA1ad47e3eb8effb3a1b046404c10c0f7766a214357
SHA2562d8e6c00323ac0eaf1a3279664a3fd9c7cdf37c814d4688657831d719d5bb097
SHA512f9811a544c11e31db4962fd87c499fc1229991e2a36aaaa7824d0ad2017b6a120f92c9f8ca6213f85888808fae9ab6b6de369b1677ffa74f0daa9db308c22fed
-
Filesize
187KB
MD56adf2557121d022963847c4d052b3839
SHA15835dd2d84590b7ab93b148cdb56fd196c97f69a
SHA2566c33c3b035ed5f42eb41dadc06bee0a79ca9f98dd62f8feaa55f8badef6758dd
SHA512646802a5af63609c3ffaa794512009dae5f31742b471047242692243fcb91885f5055b0c4b74b582a29ed1dc4265e4838a0e5d226b23f4d025e24bbd8ef29165
-
Filesize
2.6MB
MD56550fd0a86d2b2d267e02efd18b52b93
SHA145d726080abc4a022fae42c94c619cb233c10c69
SHA2566b77161625c6377cff9f4a5fe288c51b4a0c3a71a7b08c10d5e82a6ad0065b04
SHA5120e00c766cdbc07bc595f4f4a65669689f4f062f76a11857b5c89cf39ef60f225b3b0947129989bc568b3c200c949a7554c3149f1c9dbdb0c19e3710c6b881e58
-
Filesize
205B
MD5a92e443b72e09a419c5f72c829b241f1
SHA139c81643a999c63187aa67636af6dea2f36c99dd
SHA2561804be3ab7fd4e9f25a1601588da133f7513e49759a2579b891d91ae75ec4944
SHA5126f33b81a91cdd835e1cbc31ea0c11c4e9a3ceec7708f19c15600939d003d13357923a872c09727166721ebac901d1b83fd7baa9995883436adbe4c342b5c995d
-
Filesize
173B
MD53c5d673db645641d66f1dbbd13033438
SHA1678b037fd28ca82745d67c36ce50eef43db39257
SHA256c72d5278657434b515a753ff6e1a96eaf45b633e7e18586e4f7c312e20c3d4cf
SHA5123d159058b70cad0cd3030e8541df9d4a38f249229691c8ecbc945542d021527a61929f64e710148a9dc69ea78ce812bde1a8be9e3a97b2611e12152559938261
-
Filesize
2.6MB
MD58b3c3cb4482f7c184aa863dd3a8ad92f
SHA1781a19504af7146d2eb67684d134d9e24c930171
SHA2560bbc1e766da309291f531f5ec49902047fa748dcea6cb70d9a075e225d105d06
SHA5129f68588ccfef041a653ec6052625eb79f86ccad0d6eaa4d571df4d600bb362ec8a330a24895ce9842d0dd491f67792272cc5c446c85264b3436c923ac3576f57