1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
Size

2.6MB
MD5

1ecc3ef8dc6e4b2d727bca37deecd966
SHA1

8de8318b44891e2cbb7e5dfacc43de85b2c0c6c7
SHA256

1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365
SHA512

b3beb79c43805e2a35d6cd3365537f7fca9ee5177ec39afb449b9a2c092d0534a51cde1c404172562eeb9d2185038a5c8b349f5d9e454ff3db22f8205ba30e7c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe

Executes dropped EXE 2 IoCs

pid	Process
2032	locxbod.exe
2956	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTX\\aoptiloc.exe"	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ10\\bodxloc.exe"	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe
2032	locxbod.exe
2956	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2032	2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	30
PID 2960 wrote to memory of 2032	2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	30
PID 2960 wrote to memory of 2032	2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	30
PID 2960 wrote to memory of 2032	2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	30
PID 2960 wrote to memory of 2956	2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	31
PID 2960 wrote to memory of 2956	2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	31
PID 2960 wrote to memory of 2956	2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	31
PID 2960 wrote to memory of 2956	2960	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	31

C:\Users\Admin\AppData\Local\Temp\1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
"C:\Users\Admin\AppData\Local\Temp\1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\AdobeTX\aoptiloc.exe
  C:\AdobeTX\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeTX\aoptiloc.exe

Filesize
840KB

MD5
3ce70dbff836ac6ad9d01d9f5cb27d09

SHA1
199e1b935abecc9ad626b0dc3344f5f461083ad4

SHA256
682c3f475143adac1be66ec78a269b1f1d396c3722ba546edf8465af22f31017

SHA512
0bc102254cc3c24e21fb763e4cb8b2053a31832d88b791f1f5ca1c7b7192613299199ca7f12f6f9bc29f1979ef65d1f431682921e18be644eb400ad5aedfd116

Download Submit
C:\LabZ10\bodxloc.exe

Filesize
2.6MB

MD5
1505a51c31141ba3b279a7ae42b3d3be

SHA1
e8355f4c3a8005e57a417ed532ff7e5d552c1587

SHA256
ff291f66008dd882a02d1ff97ccbf28d7c05fbd02ebf38f8bfbfd73bd57af965

SHA512
c108c8e4ed92c5bb57304fbed4208d8b99b64f270810b1832382b476f571ffd9b9108bfb6bf5d965f20f9a0ff4abbd8dd3a413c3d30b0207fedfd7731c97036e

Download Submit
C:\LabZ10\bodxloc.exe

Filesize
111KB

MD5
57ab081bfde19af25dd49b0c79ba2900

SHA1
98cad0c89ce14dab0cbbd313c5a693606160c34d

SHA256
0752ea7702beb9a23cc53304b33d028cd9f46d98bb15bfc1849bf7d3c04a4702

SHA512
dedd3bf900e4a95a43993e4d148f0fdfdb78d3562a21ed84287b8757ffda7ee47905e34a56205755483292daf01a6ed5ca81d50d1e55a089b8845a29e7002518

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
2273759d6a9ba1f9ecf948188f89de26

SHA1
74f5e6b3244e65dab374e82588dff3bcfd9ede5c

SHA256
0ce01ec4151cded19373545e0f0b795ab453b01ca03a8dfc3fa184aa5811d952

SHA512
00126f310461b3bbfd9d0e14c6ad2d7a32f2b421734a89111bae5e1531869f8c9540c769180f79d1c2aeeebc23df24703cefccb6959e5be5980be446087990d7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
970cfcfc64d24f75c8464fe8ea3a7dce

SHA1
16a9c16fb89a8c54bd3eefb33fb89450ada18090

SHA256
6c525c8995b523cebd38e92c2195c174d02cda9548347913dada106a5c5a932d

SHA512
dff21ee4bd79a5ff8ff848cb0ba82b837a5f19362f88301bede49c95f9695195b6357babba5253e00316567e1b6be49da99ba1634317e900088a90843b79f2ef

Download Submit
\AdobeTX\aoptiloc.exe

Filesize
2.6MB

MD5
104d0c1db2cd480b84d7ef517843e575

SHA1
e17d1ddc54b2e92bd07903185205cdd5e4b60bc0

SHA256
d697f5c26834d0ac3c995e97e9435e0fdd556e8fbc7a1b177a709297b1a94f06

SHA512
6f38fa8e853ef0b86d5f37930eb16aef13006feaae6d26d513529dc6731c1f9f04dbbe93f2f397cac305178ced0c67faa39534bc2807273360d81e2319dc225c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
79bd734a6a68ac94abf2d6a90cd17bd4

SHA1
8194e2107aa9b7d61299fab946798810f8aed5c9

SHA256
9454d001cc32f5cb55c3b1941b8d4f7e240fced13c20105818ddf2249b56d018

SHA512
d96698b861c82cfdf43a6f129a3bb9884a10b3d073079398a2b4289d643170369dcdefa8d6e2edb73ca80f7601ebb3656b46d07cda0a00585317cd197cdeb2b9

Download Submit