1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe
Size

3.1MB
MD5

8154b96a3459a988226b2162dd0ed354
SHA1

fb12e7297a32a9bc39fe4eb6d2534d80aa979446
SHA256

1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725
SHA512

844f01e99ae6cdcbba7bc1d6a05275d03c3bba3a4e1b4788c5d7578d4fdd9d9cc12677e78ca852a5c2eace9c3ac5bf92dbb1709f88a63818a7f92de9da17baf2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSqz8:sxX7QnxrloE5dpUpBbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	locxdob.exe
2784	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe
2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe94\\aoptiloc.exe"	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSE\\dobdevsys.exe"	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe
2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe
2740	locxdob.exe
2784	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2740	2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe	30
PID 2244 wrote to memory of 2740	2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe	30
PID 2244 wrote to memory of 2740	2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe	30
PID 2244 wrote to memory of 2740	2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe	30
PID 2244 wrote to memory of 2784	2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe	31
PID 2244 wrote to memory of 2784	2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe	31
PID 2244 wrote to memory of 2784	2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe	31
PID 2244 wrote to memory of 2784	2244	1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe	31

C:\Users\Admin\AppData\Local\Temp\1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe
"C:\Users\Admin\AppData\Local\Temp\1c82743e14e363c5df62f2e036c7d459ea2594e6951aea338b80d476a18cb725.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Adobe94\aoptiloc.exe
  C:\Adobe94\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe94\aoptiloc.exe

Filesize
3.1MB

MD5
1298bd6fde738133227b1cec67426dc5

SHA1
5d93de4467df02eab44714ac49a2a1e81264de44

SHA256
3fb760d850fe68d2a4f24de38a5e668830061d991459f543caddd9e6f2418c42

SHA512
4707aaa9e8ad717b3f8dbe3d4adf33f1f61ad49e3ebcfbb53812697d0022e93839e1593b334a5487fe160deb1948a24c7eb1be1edd5e4c1445eb2074d9ea45c6

Download Submit
C:\LabZSE\dobdevsys.exe

Filesize
3.1MB

MD5
2c5151d18c62f7d49abca7d0e7b3d049

SHA1
671f8ca35074c8408bf2e16b896cbf9ce3670315

SHA256
ceebdd37c7742f977b9190b0520df8a94dd47274464b11d22f69bf6f1f50d2a6

SHA512
9fe14e0a4a8b9fd2138d44a5272c6da68a8b8f2051102c9b5e6eae18aeb3637a2724cdcda356ed59c76025ddd5d34de80cdec3a3a6f9f7b0065d1e0d465ea596

Download Submit
C:\LabZSE\dobdevsys.exe

Filesize
256B

MD5
bae5eb085a9f023b8d36e2a083933bdd

SHA1
c8f3b383d6ce74e8606027a03db4b0ae08c513b1

SHA256
b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab

SHA512
93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
c1323311af9b1205211e99246f8494f2

SHA1
faf82b0aa1006749cd9fb62e5b5e5a5adf84bde3

SHA256
fdd315e7f7ef8e924b85e44b5f2f07dd45e3abea125ceca7032362227f001e4a

SHA512
ac8023df5768718354a3506142ab978224ba4d3885eaed99f9ad8106d14404a86ccaab42ea47e8c6304f2ccc0284dd18c2761208816db2b1e3126361233e43eb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
37e1d97cba01edc5b3d24224de6173da

SHA1
34295de9d8973408ea96bcfcbd7ae68ab1507667

SHA256
cee73b29c3b1fb8dde1e1991f9eea62a01e12d45426a32531b9b060be3ccb704

SHA512
13597e5696ee94b4d5275c5b31ada5ede8b3ebeca88764d28161f9eda899f6e7776bface6159a22fff0bbebc0b5b599e9072250b0106718f127cc7236f8a71b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.1MB

MD5
8f9ee52d814ff6c5ba36d61a79b716b3

SHA1
d26ccec26475eba034d0b5ae400832f9fb854c7f

SHA256
d14ccc0d9176f43b6d9cae89dd4b5811a6fbf6ffffda8d90a711e60a82661e7d

SHA512
6e8cbacccf1fa77fee5ed1422ca1c4f9f20f758354d9ce3b34bea56d40c94f358f108d46cc677dd92cbe70fd462be65cec581a284bdc69e0053e783600ee9d17

Download Submit