1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe
Size

2.6MB
MD5

0b1f2ebd224c081ab73d762b3b8b1328
SHA1

93b358aa780db54a25bc274318299b1ee62b6300
SHA256

1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406
SHA512

7b65d1d86b88a622195f77231c70f4d8ce5a1b7a111033e9cd280693bd4cc1a2e78476aa603184d958a3c6824bcb5b71a40a20fec1938a7420511ba0e1a7ad34
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpIb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	locdevbod.exe
2180	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe
2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9H\\xoptiec.exe"	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDK\\optidevec.exe"	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe
2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe
1708	locdevbod.exe
2180	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1708	2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe	28
PID 2224 wrote to memory of 1708	2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe	28
PID 2224 wrote to memory of 1708	2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe	28
PID 2224 wrote to memory of 1708	2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe	28
PID 2224 wrote to memory of 2180	2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe	29
PID 2224 wrote to memory of 2180	2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe	29
PID 2224 wrote to memory of 2180	2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe	29
PID 2224 wrote to memory of 2180	2224	1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe	29

C:\Users\Admin\AppData\Local\Temp\1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe
"C:\Users\Admin\AppData\Local\Temp\1cb3036969df6bb04138d0b3ef525700927bd9bdc062780461df4bcc00c1e406.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Intelproc9H\xoptiec.exe
  C:\Intelproc9H\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc9H\xoptiec.exe

Filesize
2.6MB

MD5
40955ce8e56fe344ec4bb90716f47641

SHA1
b6e071a207611bcdeedfee873628a64853c6a12f

SHA256
caf8c837d1f2519f21bcb28710a0d60606859f695f68d5267942e94562e6f09e

SHA512
e98e77329f0554071194a82711e3d0ef36a2b593264b72839981dd9eeaba0389f63416f95a715c92822522e473aa3abc4c6f94c9c41186667a000af7b548ae9f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
80d53b7f4022a370f80c03734df53b1b

SHA1
571508f1722cf76c9794bc277d547a2666277f54

SHA256
1db0a448d3d15c39d029e7ed6c2ba1690a0583a1ec0289b5903efc6239340c16

SHA512
17ec39ce81754a87bda90a8ebb311f9bb256b16feaf798afa85fa9cf495d2e98d642ebe3dbdb2f270fa4afa940caa4fc3b7ee0b463d5eda6278f68fb5859fcc7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
062540bdbdb410a6356f5ac9b705215f

SHA1
66f189889f90e3d8574f0902267b886b8afd7ef2

SHA256
a0f0461f74e96021e20aa2548617817b740de36d3b4f66e496dff44f746ba3a6

SHA512
8510872e7381cc06e26d2732888e21305481c0f7874325b11b0503cdcc9f020fd72b7c53ee0a5bc338fd25b50504fd41290e68cab053a4f41d49b2d6fcaa998a

Download Submit
C:\VidDK\optidevec.exe

Filesize
2.6MB

MD5
0c1878e29110f571175758ad395880bf

SHA1
ecb626f9b90ca28acf40da814595c2437ea14984

SHA256
e54df78ac8e9f53ec4f044a37907109f92909b78c5f3febdf431ed65e7f776ee

SHA512
caea39292d44c7d8c2154e31c7cdcab59b9d4e500c8cd52241f2a2b6dafdd9774b8701b885f7caee7c4ba1a1509be426e0ae592d7283d3ce11db9654e050430a

Download Submit
C:\VidDK\optidevec.exe

Filesize
2.6MB

MD5
eb6179c47357d3024b495d533b170c16

SHA1
d4976e061917bd39436c4fd967f25ede64c32f3d

SHA256
906059bb3aea8da8b0a04600f9640a4096ebc373da04b3b4b5201b91cb564c68

SHA512
ff96f12d8d1c450c0136ed5fa3073c12a90a60786eac02e17880d7dc671bd192537a1c7f23782563c7977ce3a0548f167a2d3a98bfaac38524715cfb051c7bea

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
58113c480b22efb0a07523eb238f060d

SHA1
20b6a8847d68923db6b0d3371572fe989dac5a70

SHA256
dcd685079f9264d6d3037313e119cc6294adf77698978bef4a2352e6ce987a8d

SHA512
a5f5acd9a43f0e0a1355ca43f4b9646e502c1880138cb64f68bae41c2de5eda4d7a4dce07a927489cc8795443601d2978350b7206f99adbf0181b967870943ff

Download Submit