86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe
Size

3.0MB
MD5

da5bb53f6741213abe8f596ded7f5530
SHA1

fcc2e1a8953d9c1ec70c2cb205999090f581d0d9
SHA256

86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea
SHA512

2d449357c1a9299e14be8bff678cbc7cb3c9ac6a8c9ebf62dffa0be66242025bb33036308780e1387ecee7b068941aa71fcc4dc422513efeda01180a6e20fe97
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNX:sxX7QnxrloE5dpUpnbVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	locxdob.exe
2800	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe
2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNM\\devbodsys.exe"	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2J\\optixsys.exe"	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe
2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe
2196	locxdob.exe
2800	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2196	2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe	29
PID 2924 wrote to memory of 2196	2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe	29
PID 2924 wrote to memory of 2196	2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe	29
PID 2924 wrote to memory of 2196	2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe	29
PID 2924 wrote to memory of 2800	2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe	30
PID 2924 wrote to memory of 2800	2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe	30
PID 2924 wrote to memory of 2800	2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe	30
PID 2924 wrote to memory of 2800	2924	86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe	30

C:\Users\Admin\AppData\Local\Temp\86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe
"C:\Users\Admin\AppData\Local\Temp\86aa45430a4510bf0704d1f5ed7da4897af77d35c74d3898bd240b706a2a6dea.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\AdobeNM\devbodsys.exe
  C:\AdobeNM\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNM\devbodsys.exe

Filesize
3.0MB

MD5
d7bba89b1b9c10d0151c95bbd7d8f343

SHA1
27ff3cdb9b15cbfb453ba2b1555e7829cbcb9dd0

SHA256
85142370d052dcb7c24a6107be58764d8b0f92976bd79c5e81741a4fb537db68

SHA512
27bf6865cd23e36898dcfc9f2dd90c3afdad8d0102fab4b49ed130ae181b04d49a27a21ad1ab509506abaedf89f93720b9bc42544c47859db1e31abed2336055

Download Submit
C:\KaVB2J\optixsys.exe

Filesize
3.0MB

MD5
168788da46ce9b564ca63be43fdcfee6

SHA1
9445a9cea8fa4474aea64ac7de78ee482d66a024

SHA256
9539cec392e87a55c6edfbe61d1e6897c5c49e8eec12f087325a4ce3478d892f

SHA512
6c23610c8f35ef25481b089d9ae960729949de99bee5bf8db8ef6a367f7e4c159d48fbdcd85f008e13ac3ad69ac389ce5cb9bc9fb7ecdfe06d0a0dc4100dfe33

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
04c6d8a13ae3a65dbdcf556bb72a539c

SHA1
58cfbc600f990bf957ba6994d1e299b611f1c07c

SHA256
7c5ba40c9942e591b07cc98130fd613b711282dcd1a85d5769eae1b1274b6462

SHA512
a6c06a93868ac3c6979d7805af8514e47eb1922700426ba91ecb585284410273add20f288d5ffd0bfd6aecf06d4b6501b6a6d58a45ae8eb8ebf7453f8278b9d1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
49b7c3658ebf321788bef6a2c1951a2a

SHA1
c64889793ce56ab7a1e632fd525473145136e03c

SHA256
92fd5fe1f0559c80ae4b5c1a4fc7f83691a50e5720d5c84edc0a41de8db3cfe8

SHA512
43911db4cd4f12ca91bae00d6ca059b29c1b45bda5485845c3c3d1e7b7f882b5c85a08fd7e58747cc902fed488e6bcda0f4f6ad728c5bd0ea6e2e12aa1bbb1d9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.0MB

MD5
d66843c5d6f102b79e1be34bfec024ec

SHA1
3e7fb180d752c86b5ab51b6ffbd0ecf4e2fb01be

SHA256
f70defb568b6d19c4f49371d9743070466007a5cd7e8434216276cdecfa7da03

SHA512
b291a6bb7e897998402eb696458c5da8d572b430f57c58feb85250c347bfc1e4c8432eccb27598465b02c99591984c2ae9c886f6803d61559d629f577ef66cb2

Download Submit