a767cf5d33bb5cca90aeb800ebfd06f39add12cdfa26fd8acf21919cec780929

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

797c38c14af71efa936c192aa9e40e50N.exe
Size

2.6MB
MD5

797c38c14af71efa936c192aa9e40e50
SHA1

b874c0f16df3a995d99429bb2b29f818722d1a06
SHA256

a767cf5d33bb5cca90aeb800ebfd06f39add12cdfa26fd8acf21919cec780929
SHA512

ed8af2ed2103cb9437148e1e4f7b7d1a247be2e52274018ac3e3ebc13af142392b28381514d00e5eb0c1047dfdb892886bf7fafc04d970528c636ae297c8b6a7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpgb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	797c38c14af71efa936c192aa9e40e50N.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	locxbod.exe
2504	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
1528	797c38c14af71efa936c192aa9e40e50N.exe
1528	797c38c14af71efa936c192aa9e40e50N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ2\\devoptisys.exe"	797c38c14af71efa936c192aa9e40e50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBNQ\\optixec.exe"	797c38c14af71efa936c192aa9e40e50N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	797c38c14af71efa936c192aa9e40e50N.exe
1528	797c38c14af71efa936c192aa9e40e50N.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe
2672	locxbod.exe
2504	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2672	1528	797c38c14af71efa936c192aa9e40e50N.exe	30
PID 1528 wrote to memory of 2672	1528	797c38c14af71efa936c192aa9e40e50N.exe	30
PID 1528 wrote to memory of 2672	1528	797c38c14af71efa936c192aa9e40e50N.exe	30
PID 1528 wrote to memory of 2672	1528	797c38c14af71efa936c192aa9e40e50N.exe	30
PID 1528 wrote to memory of 2504	1528	797c38c14af71efa936c192aa9e40e50N.exe	31
PID 1528 wrote to memory of 2504	1528	797c38c14af71efa936c192aa9e40e50N.exe	31
PID 1528 wrote to memory of 2504	1528	797c38c14af71efa936c192aa9e40e50N.exe	31
PID 1528 wrote to memory of 2504	1528	797c38c14af71efa936c192aa9e40e50N.exe	31

C:\Users\Admin\AppData\Local\Temp\797c38c14af71efa936c192aa9e40e50N.exe
"C:\Users\Admin\AppData\Local\Temp\797c38c14af71efa936c192aa9e40e50N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\AdobeZ2\devoptisys.exe
  C:\AdobeZ2\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZ2\devoptisys.exe

Filesize
2.6MB

MD5
97a9c2108cf2c9469757e0b2456a942e

SHA1
77c1ce07e7f81c7cec591b5dacbc72c92fd0eff8

SHA256
d9c36fcdd51f5204f1cd25fb942d18ff964ecf214ba5285dab199dc8360cad5d

SHA512
e62f2b25620070b9e29a8d6ab1e50bf795882384c51d90c722f4574246ca5e7be1f5d4fe7d4976575eef2c19e595f3c9ed909a7e67ac14f591b7b26a38d9d4a5

Download Submit
C:\KaVBNQ\optixec.exe

Filesize
1.4MB

MD5
a2af908747e0303548cbd2a5c06b8ea2

SHA1
a793c506ffe0cc3ddecf62f3eb616df558a761b7

SHA256
26b4a8936b61a7fba4027bd690fb5b8719ab5f18abc27a51cdfff6b11bb99f12

SHA512
1ba28df9c2b46dfc326249fc620be0a56588aecbee45692faf4644ac6c18b2eb182dc23e3e55b8d57581926d595b6503a60e8d705ef3dc6e2771bc6ade28b48a

Download Submit
C:\KaVBNQ\optixec.exe

Filesize
2.6MB

MD5
96c798e7479f36cbbdeb906553cd6d1b

SHA1
4459482f92b79271761464caf698bb89bdee2a0c

SHA256
c5234258454e9b4170b22623830f6de84e37c3fcdf81acaa29241f7fc6fa0ef1

SHA512
94369075de3029e4aa71554b87d773a240fe1818b881954734e53eeb5365bcc60ddb6951e1d6450e0fb7fa1f794255ec571df1de689c85e619f96fb923885293

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
a4f0279a0cd88f1dd5f30af33fd0c49c

SHA1
05edd269b7866ed803d9955381a8d668002ba0ab

SHA256
d69525fbe184778f9ec3cd1c7c02e4630fe5febab45c400674a1654c92d03290

SHA512
67b38802eefa2b1be15374a7f6707b61a51264b6ed88539c52d4eef2f9ca43e25499f194fe19e64caa0ec9e52d884e2e215941b2e9b24ef0bfea2f8b0b3d9efe

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
1c00f317e8fde1776ac716d828b4fbfe

SHA1
d1c9082d3ee1d53120ee458ee82567ee14569c87

SHA256
31f70991ff5acaf0a4ffefdd2a527542d5be16e3bbc5ed6fbead945f90b77974

SHA512
afdeeca78453d612fe5fbe068c3e0b7aa741bc79b80f8a482d96f39e0018b111b1763c9268a0a398d9e077ff875961c38ef41045863e277f1a0ad2a531e29f87

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
ebfd593be83d79a668740ded49fc2f32

SHA1
b4fcb55f4c5db6188a3b225aa35a9eea84a7545c

SHA256
0f53e48f3af08739ec7c5652bf36250f09081d1b4e03e6979d50d5947e172689

SHA512
5a0fedcaa9af0efb264c43761b95d1a1802254e2956bf45b8b3a55c493f7a2a01be40bc1a1261bf412235e84260908681bb85879b76a07a099fb17ad7d16cbdd

Download Submit