cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
Size

3.1MB
MD5

3e3afa63ceb3e7c54a63844f65a62384
SHA1

9bf15d3b10b8ebe5e4361c440242a337dc257f1a
SHA256

cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a
SHA512

5d4c0d2c029c00b5193c29af90633b1595e75809fe9050c2f3317b76d98f1bb540b298255a71c83da2c40dabaf66147494ce289f6e4083c518f4b88ba085ba8f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI2:sxX7QnxrloE5dpUpIbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	locdevdob.exe
2248	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5K\\xoptiec.exe"	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNQ\\optidevsys.exe"	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe
2780	locdevdob.exe
2248	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2780	2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	30
PID 2668 wrote to memory of 2780	2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	30
PID 2668 wrote to memory of 2780	2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	30
PID 2668 wrote to memory of 2780	2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	30
PID 2668 wrote to memory of 2248	2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	31
PID 2668 wrote to memory of 2248	2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	31
PID 2668 wrote to memory of 2248	2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	31
PID 2668 wrote to memory of 2248	2668	cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe	31

C:\Users\Admin\AppData\Local\Temp\cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe
"C:\Users\Admin\AppData\Local\Temp\cd96213736c9d5011df5deeb969d0ad0c0130c13537e7eaa2a62f078eba6ce8a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Intelproc5K\xoptiec.exe
  C:\Intelproc5K\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc5K\xoptiec.exe

Filesize
3.1MB

MD5
16b19e9207d3afe20a9b25486795e216

SHA1
dc233578f9079194529d8fe77e57531fc0a5038e

SHA256
299507a5a7af6816a2f49fdf450165c25ff7b5e12b748cece3659b511c3e5281

SHA512
5d7f0211cdc1b213e4193b3dff520e234eeb4128ef0b8422d031f0f7768d5032a03fd6b83a1580bfed6d33b8f1d1b77818325a115a52e4bcfcd365af36037b3c

Download Submit
C:\LabZNQ\optidevsys.exe

Filesize
3.1MB

MD5
5b824ef066665911cce8d35ad1eab00b

SHA1
d92918d11698fd062e91151ce165e809422870a6

SHA256
be77a145757b8dd0077856a470811964e160c7e0630bcae324e6eb16741f9c86

SHA512
e22885d2e0897a048af910a6bce14362f626813f4de6fb01e1aebd6343adbcd76f059a4fb74d5b05363bedfd93e75a4761462ce5782edc4a017380401cf41a8c

Download Submit
C:\LabZNQ\optidevsys.exe

Filesize
3.1MB

MD5
62e422cd947cf702cb1eae2786e9df78

SHA1
34d357f8b807aa17a06be457f98b123cec35aca4

SHA256
ecc593ae22b46e837baf39b4df66b4c7e60a17c9e1bb779fa9b692541d2da8cf

SHA512
3f65f0a5f19971bf564e6b1274cf202edf68bfa4a30261369dc9a310b3ba5889cffb0e8249782ceb77700aebe572f48300b697644b1743cd7bcfc95f62cd9f6e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
177B

MD5
e66f0aace91d78726f917431e8f489ef

SHA1
7b83f35c2adc5e7c7426ebd164ca8073b40cf402

SHA256
f05c03bcba1688cbece17a6af60f7ec744c5f0f8b5204ec54f2e1bbc3d92f50b

SHA512
2bdcc92ef9bba7d79849abe3febc0e9ed96fb1bc6c387abe86958f8cdcede78fc83abbb68a1e3778027eb51d5a718355ed1d34dc358fa67b85e72101e538e623

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
b3dfc297dfd948510eeeaeba5064635b

SHA1
1fc7f3daf4e812710b804e58c6ffdac8ed97cc0b

SHA256
6be93561c568b275be80df326b2bc66b06e7a9f891566ebe0bd1a429d68605a0

SHA512
64d893ce2e88ee5140a0b816974a520bf99491705c991354ca7f4cc759e19389a595e043ffea0675994a1a35c6ef2a709dba7b9f8a10e0b49f9354d882204cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.1MB

MD5
6fb62b39b3fea817a0667aa471b59419

SHA1
00fcf9a0e91c83fd822602fe14e12d118c2739dc

SHA256
2af4f5ee963dfa44c67e737d48dc6855d2feaa289bb70219c4b3e72dde309619

SHA512
9830b7d3b60206f134a566363f5135df79ea680e97b3bdff353e4b48b2fd7535bd10f7a3761323a904b39520a3601aec57101419cc3231872a4779a37d238a64

Download Submit