4f1b8a97e9ff7fb55a57b482e8715107168b48e698dd75277b6fcb2d54fb646e

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3e5bfbdb43d030faecc777d1e19d8d0N.exe
Size

3.1MB
MD5

c3e5bfbdb43d030faecc777d1e19d8d0
SHA1

b306dc0453c4270069d602171f43c3ea1f5b248e
SHA256

4f1b8a97e9ff7fb55a57b482e8715107168b48e698dd75277b6fcb2d54fb646e
SHA512

b9b37bc5e4fef4f2a1dee95ef08dc882254b4437008eb2a2d795e0905a15be1c3ddf3d17de8c0ce33aa8fa8cc2b478068b1412635ffaee035409e1ec9a0102ac
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpSbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	c3e5bfbdb43d030faecc777d1e19d8d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	locxopti.exe
2348	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe
2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv03\\adobloc.exe"	c3e5bfbdb43d030faecc777d1e19d8d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBW\\optialoc.exe"	c3e5bfbdb43d030faecc777d1e19d8d0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe
2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe
2364	locxopti.exe
2348	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2364	2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe	30
PID 2528 wrote to memory of 2364	2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe	30
PID 2528 wrote to memory of 2364	2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe	30
PID 2528 wrote to memory of 2364	2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe	30
PID 2528 wrote to memory of 2348	2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe	32
PID 2528 wrote to memory of 2348	2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe	32
PID 2528 wrote to memory of 2348	2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe	32
PID 2528 wrote to memory of 2348	2528	c3e5bfbdb43d030faecc777d1e19d8d0N.exe	32

C:\Users\Admin\AppData\Local\Temp\c3e5bfbdb43d030faecc777d1e19d8d0N.exe
"C:\Users\Admin\AppData\Local\Temp\c3e5bfbdb43d030faecc777d1e19d8d0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\SysDrv03\adobloc.exe
  C:\SysDrv03\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBBW\optialoc.exe

Filesize
3.1MB

MD5
479853e4221b6ec6168b20bdb9991457

SHA1
18eaa2daf5897cc25cc43ca856c70352d08643d3

SHA256
5430b29f898156408943782750f54de87a97d6704cc49bb761fc310a4d02b5d6

SHA512
44fb839eb7bc8705bab9e9c9dd936cf49d585a0727329cb4879c230c3536a421d1516191f7664b568500d64cc7c77d0129e37443a5bab2d852e898a8efa42ac7

Download Submit
C:\KaVBBW\optialoc.exe

Filesize
3.1MB

MD5
1456d387fdda1cd3d3d2e4d6fbd8d65b

SHA1
a41c9fe989aa170c677742a8c67f2b0b8c0369cd

SHA256
fd048172cb067bee87d7bdb88bea99b84cd31e5baece2f49783c3e97e92dbbde

SHA512
47defcb8f65d8686791c5480d9255842521bc3be24ea7ee9dc0714cc3f01fb7ff952442bc7967acf0ef9b08b01febd77ea2e5b50dddd90cd622183deed143ad0

Download Submit
C:\SysDrv03\adobloc.exe

Filesize
110KB

MD5
be398ace4d44b134548807dc68990d20

SHA1
3dc62eea2c973fae9c178b8b03e74cc1b709f7f8

SHA256
d3c2a82c6ed5e393621d650f9fb7eec1456f63e77b408c435d8412afa377dd65

SHA512
cd4cd307e6de1b7bb859e1ac19f30d518530782d0fa9ed013a3f97bb381ed1e36d08ebbab65ec26ddbac3cf23d96daaac4feaf29fbf228db0e2c0455a6f66fe5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
3abf40bde1030fa4d785a187052dce5b

SHA1
f13c8494c0ca25d6c81e5cbb3240d70187ac5606

SHA256
51787751699452e4d2024b638327c945c7554177ab5b8e944d3828fcacb57bcd

SHA512
fa46149d8de21467f1ece209e54659b7081139b70bb0df2c2a9caa094c62493ac4eddffa3980895f4181d979a015d5294f85e139f52869e5209a06bd7509f5e7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
c24c5ed629617b315229b8950be5531b

SHA1
3d30fc02eef87c46cf38e8fa90bbfccf1325fc56

SHA256
0960972f1bd3c9e3bcf8099f4ba7ac0a600039754a1475e59b5fc00a88c02cde

SHA512
17dc3fe14e7d13eb3d1572e498fb22afb763cd173ebfdb3aa3f40edd0cc712dc2ab375a0c52da673b700055ae72ba5418988f124f51d8a27fea955c61cb4c1c0

Download Submit
\SysDrv03\adobloc.exe

Filesize
3.1MB

MD5
2026c40171afd76fccfe244c9f7a55f3

SHA1
5d69472dcac9a6491c809d44ffa47df6e6e8ebc3

SHA256
f988724d1d3bbea6ac5dfe62eafdd98c52401c8ffe16422088e6a70490c10367

SHA512
1b0d51366d8674f7dc367cfcc9771dc8f780e0e67fd73109beeaafece6d65d13b0f68e74115ae21a01d046f321e3b1f12f253a8a722a9477cf472e5c1085945e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.1MB

MD5
f03906fc03fff6a8c940855a4b779365

SHA1
1ced7e2d5b5ce87c402264f719f9128b837a2984

SHA256
537a38ce2f3ad23932da004da28a352fb5d27f671bf0eace743179ef7f0b1030

SHA512
137a6e2f1ec1fd7bd85e2f59e52a6309c4e5fc187d42277c058d2071ee81482de8bde481e4c7f95ca81ed608f650694dec758a326f01160f32b081e5e42ac870

Download Submit