1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
Size

2.6MB
MD5

1ecc3ef8dc6e4b2d727bca37deecd966
SHA1

8de8318b44891e2cbb7e5dfacc43de85b2c0c6c7
SHA256

1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365
SHA512

b3beb79c43805e2a35d6cd3365537f7fca9ee5177ec39afb449b9a2c092d0534a51cde1c404172562eeb9d2185038a5c8b349f5d9e454ff3db22f8205ba30e7c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe

Executes dropped EXE 2 IoCs

pid	Process
4100	locabod.exe
4312	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLX\\aoptiec.exe"	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRS\\dobaloc.exe"	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe
4100	locabod.exe
4100	locabod.exe
4312	aoptiec.exe
4312	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4100	4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	89
PID 4264 wrote to memory of 4100	4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	89
PID 4264 wrote to memory of 4100	4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	89
PID 4264 wrote to memory of 4312	4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	91
PID 4264 wrote to memory of 4312	4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	91
PID 4264 wrote to memory of 4312	4264	1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe	91

C:\Users\Admin\AppData\Local\Temp\1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe
"C:\Users\Admin\AppData\Local\Temp\1488be23aa5a15bed96482635e79f3ba3dc0091309483335bdb88048643b2365.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\IntelprocLX\aoptiec.exe
  C:\IntelprocLX\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocLX\aoptiec.exe

Filesize
306KB

MD5
792917757f09453091117d48587f8cea

SHA1
2a1ecc374cf2b9516a49952c2b53015d83888e0f

SHA256
82febcbeda374d5fff4de588530aae48460ca295731257fa3dcb63fef9d5ed14

SHA512
c72c387a3c9d38ace2b2a5e1aae31d1b8df96dc17fc714f799d7f771ae61046c608c47bff93624c6940fe3bdd07442b2e747478b483eabeae4a342fcabd4e13d

Download Submit
C:\IntelprocLX\aoptiec.exe

Filesize
2.6MB

MD5
6716c7fb0a7e846505b2981590cc7e79

SHA1
2b3abcb88bf1a4ab286eae19ae214a4a1a952dbf

SHA256
131a950b3298f40b1450215a70f085f9e6bd846ea64130cf26ed26551f2c2764

SHA512
f7a6bd43d2bca27d054aa440417704639adbc3f1a201252d418bdd7d3d53ae88cdfd29cb31cf2388937588d78930c7256e898b14b5e0faec8958f38f53f6237d

Download Submit
C:\LabZRS\dobaloc.exe

Filesize
2.6MB

MD5
4dd8fab8e7fb20457015fd0d1db8f6f5

SHA1
bdd51330f005418528d4676c8e5e57d7514060cf

SHA256
d3740d24c15870222c309d7c35e4bbf119f772ae381ccd9ec0e7b73db9b6533b

SHA512
b623f1f0fe0c06a0a1fa9fdc31a6a54d9170f5834de3b376ef8249784418c4c7df9fb8011681a2d7ff45e8f806d17c371be73cb608e193adc82b49b312c21a99

Download Submit
C:\LabZRS\dobaloc.exe

Filesize
1.6MB

MD5
9dc4c15c4aef1b34ec6a294cc966c132

SHA1
21fde6291cee53ae93475b6b26aa4f4a81031dff

SHA256
2eab54cc38b3d5db1bc4b60815f40df2b8e3b787927cfac8a2c74eb78df5e687

SHA512
1e2af90bbcac1722de6bf028093dfabbdae857ca858206f2e623c0432c02f8b208393a92483da0b3c35c448e42d725e6de0508b4b41f0e929da89ab5c88874d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
fa57f9cf65169a934fdebe5215cd3f11

SHA1
3a3392d24771f6664364be1fecc3802b9ba1f7b9

SHA256
02f6a6dbb7d5bd6b5757540698f0a6f519720024cc9e1332462e8bb3e8b84bcb

SHA512
9436bb3b7174821b14ab12b61906667511832dd56f65db85a351ec7793b936c86c036ffd8c2786e1659d848921d1195e505ac3a6be4c40176596896017430aea

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
caf26ff4c1842bf1c8185c79dc5a57a6

SHA1
c9f9bc024b41f2ee83e2c38b729ed1f088a93357

SHA256
c9bd3b9f2234c0b146f10ab20633f574b2a953d266f321526f5d0a7a46c0d06a

SHA512
01aaa6b2f7f4e820c0db179ee7a85d3d7df61a7e9b0076413f1f6ea0db3ebd98a4a37e58c8efe64bb01c3cb9d9b8493fe8659c882531ffe916101dc13fb1440f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
f1dbd4c10c6ff8c5429665aff262c21f

SHA1
c08d019b779624c36be453816d2b61f7384b44cb

SHA256
2ec241e6415844b2eaa436752aff2b5ae9bf26399e2ffa50d48813fde12bfdd2

SHA512
7b3cb3f116c4d74086fea51085f4fa6c2e5281ddeec4d7011d8c9b296b848a8a214a1dd425325c262ba97c2ba25dc06d05f29fe8d1efa5ae4e3674c6564d8dff

Download Submit