918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 02:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
Size

3.9MB
MD5

0b8385a80202c7a9052e266bd6b5d712
SHA1

6477f77cdbb7637e7f807585ef25435ff1f2a193
SHA256

918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3
SHA512

f81a8670f50559fa5a18e613ce0327450bbff524653588da9abb44fb9acbc24c5672a157f4a1a264ee7c606fc46e4781038e143467f4dad905107a425b007b23
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUp/bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe

Executes dropped EXE 2 IoCs

pid	Process
2144	locaopti.exe
2836	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLE\\xdobsys.exe"	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZX\\optixec.exe"	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe
2144	locaopti.exe
2836	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2144	1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	30
PID 1612 wrote to memory of 2144	1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	30
PID 1612 wrote to memory of 2144	1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	30
PID 1612 wrote to memory of 2144	1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	30
PID 1612 wrote to memory of 2836	1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	31
PID 1612 wrote to memory of 2836	1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	31
PID 1612 wrote to memory of 2836	1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	31
PID 1612 wrote to memory of 2836	1612	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	31

C:\Users\Admin\AppData\Local\Temp\918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
"C:\Users\Admin\AppData\Local\Temp\918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\AdobeLE\xdobsys.exe
  C:\AdobeLE\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLE\xdobsys.exe

Filesize
3.9MB

MD5
acfad8998cae435deb81ce8d3aaa0019

SHA1
de87987d6b9b84dd62b46d72eca8953f10e7d6a9

SHA256
37dbff1273c6cd93b95e745423d3ddb54a35cb215d491e28613e4176e5d287e0

SHA512
1a53efe47d13d56123eb7c610f6a1aaf49b185771f01ec6d7a932c5d51b37866f06e1ec78002afab0514a145a1655876e19c0b3952b08eb89ddafce2042ec955

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
47201059e76b1898b289f022bf914a35

SHA1
07c8562175e2d011fd5b5c8f23f58707bce576cb

SHA256
27a3eb1953e63dd2b046be3a18940b57f1c529d9ed71b61f8ec990ff66a744f6

SHA512
b4153275d3a21538eac719da44e6f1d78166c56296a39f4cefc74e96fa33405868308ab248bef2d086f4ff2d0de2fe05601fd6921a52155e21cb7d43d169071d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
beb3295ed877e15f184a26725242b168

SHA1
f8692bb348feace64bfd45d172779fe7d2a025b3

SHA256
c412903e05ee67632ec6b4ca5f19ca6898b6b68df18aa2c64a14d32455d62ea1

SHA512
933da1825f9278f610cc8e72b9ab6e952590fe9297c5313578fc5a019dceb49d5a8a0d4e8a413717d9e5b616eab5fecff25bfc4a596efa6c2a6824fd6c2e0534

Download Submit
C:\VidZX\optixec.exe

Filesize
3.9MB

MD5
ed6af2f8110e806682801181966b420b

SHA1
f8af34ad8dc49843d4ddfa37b84489c8db795e4e

SHA256
04687cf8647257a543ecd50d747cd303276b49467c5932c2e258e4ba53a457e6

SHA512
6441ab0152cf26d6f0f27166fb96f93e1263c00f5c673d13d0522b685a4fd137c473872e118960f7ca0bd06bf0dae6b4411ded9e5d94175e6bd7ba8172adf5cf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.9MB

MD5
f91ee6de5dadf29c5a2797bd722df9fc

SHA1
20bcb8077850fba1271c2aca05d266255858a031

SHA256
71bf977f8e6b1f0660b57ac6b88ae4cb3c07e0bc47c17bf7b9b7310bfbae0396

SHA512
ed0eafc2583282cb289d7c240b5a6fd530f7490c23e11c7c1966bf0bf56db3c9665832c860e36a03a54379a4b098dba1d5af3255a9bdaa0b63a1389cd1696c5b

Download Submit