9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
Size

3.2MB
MD5

875fa26be7067383c3f73c9de74b3141
SHA1

d02babe66a661ed2b46e8b6869b48f519b51b1a0
SHA256

9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717
SHA512

851f322c6690a7e5a67dc876141c2473c3b95f54f2418d96543d5751d64232366e3f645a27a6a38af61360d76bdd361be0c610d0617a59ddbd72de0927095765
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp5bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe

Executes dropped EXE 2 IoCs

pid	Process
3396	locxopti.exe
4928	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHI\\devbodsys.exe"	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4O\\dobdevec.exe"	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe
3396	locxopti.exe
3396	locxopti.exe
4928	devbodsys.exe
4928	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 3396	368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	84
PID 368 wrote to memory of 3396	368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	84
PID 368 wrote to memory of 3396	368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	84
PID 368 wrote to memory of 4928	368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	85
PID 368 wrote to memory of 4928	368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	85
PID 368 wrote to memory of 4928	368	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	85

C:\Users\Admin\AppData\Local\Temp\9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
"C:\Users\Admin\AppData\Local\Temp\9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\AdobeHI\devbodsys.exe
  C:\AdobeHI\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeHI\devbodsys.exe

Filesize
3.2MB

MD5
b6d92b8da4551bc8472605d341c22018

SHA1
46b274255e7cacfa2656143d30c5fbf10303e259

SHA256
10cb6aca3701e6d884dccb753017ade3ca676ba63d25da971bfc24f704f7d1b3

SHA512
c788761c87a28f08d06263191f90f7cdc0aa808aa1b6a970947e90c399fe481ffcbf0d92ce944ea447b4b65a621c6e4fffed7fec7e6df496ea5cd84463f5f69f

Download Submit
C:\Mint4O\dobdevec.exe

Filesize
3.2MB

MD5
5f40b2bee72a2898e4e13185fb7cbde1

SHA1
7e38e81676e4723b34a2102f36afbbd17f24de23

SHA256
7a7aee2e19363cde712cc5b9c1228daaff88ae10b976a4feeb4ec2965d12cc4b

SHA512
33e52b6aec319b94fc33795adbe284dc38c7d42fe8975d56bc5cf87a1130f322319466851ac63d23b7e19df8c75030b2432f5cfe9fd952287ebafb25909724fd

Download Submit
C:\Mint4O\dobdevec.exe

Filesize
3.2MB

MD5
162369c3e85694688143f1fdf772ba18

SHA1
ce93b72eb4f2d204951b119d6428b2400b179631

SHA256
c587c7dbca127e25d303030749316685915b2b95a7088c8057cb9c171f4d8da3

SHA512
098296f477cb48dcac0f096c067d7c336b534abe33a57626bbb194104258aacbbffc7b79e11c9467be2d097bb8c2d1eed2342777b6cdd2fd0dad071580c0c38f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
82d57f3caee3aeed1ef908bbd4584313

SHA1
281ac8f4acf779d7e904002429518cad3f0d5926

SHA256
44664ce2f6c70bf559f7b1cd7e1e541dfbcc57e21a85f67a8afe00d811c32e74

SHA512
cfcc22a76620bbbb335771158d051204e537ef2c88a63ec0399c88cb9eaab58b9991988da22bbd09a7bab87d33991aabd5d11c752b62bc993ae9933c4bcabe21

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
c061eed47902e95d729c11741dead8d1

SHA1
6a86cdf268a8b05ffb7d1422f4010849e2b00123

SHA256
ed6e66cd27696f564917763e51ea76fe15507f81085f40f6ffd1a620dff71381

SHA512
10b736ddc9121e57b07a37dd344eab536b3b3fdce1857fcbd6b32aa38143ce8b42c36f45714d0715541023311c0a92e31108b7484226e39e4e2df67c5d6ed723

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.2MB

MD5
f8def456e124673c92afa6fec8fd6c3e

SHA1
39956950930ab50afde9487fdccc6c1d7b15914d

SHA256
94fd6e85d4e56f46b47b87f4b7c56e466d898a9579c8fea988807b7becf44668

SHA512
bc252f71e381dd7a27face45f0a6e9a25c4e9e0b55edf366f137d983cafe0a78cdce9e0b311b0514302df2cd388b5a84f5a61ee85f88f57d5e4cba5fd77ab173

Download Submit