77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe
Size

2.6MB
MD5

3798b7c536b9217dfed64114c488eb7e
SHA1

831c224a0c4e4783d780fbb14ac290c331c29494
SHA256

77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44
SHA512

421075f2ea8f085585d80493bc41749c20050512935ee520b0c9428631f4659f032167df42b8b3ca21fd4e07777a3b3dd4d5210381c0d9eda9b8aa7757599080
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpUb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	locxbod.exe
2348	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe
2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXJ\\dobdevsys.exe"	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKI\\devoptiloc.exe"	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe
2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe
2904	locxbod.exe
2348	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2904	2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe	30
PID 2524 wrote to memory of 2904	2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe	30
PID 2524 wrote to memory of 2904	2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe	30
PID 2524 wrote to memory of 2904	2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe	30
PID 2524 wrote to memory of 2348	2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe	31
PID 2524 wrote to memory of 2348	2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe	31
PID 2524 wrote to memory of 2348	2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe	31
PID 2524 wrote to memory of 2348	2524	77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe	31

C:\Users\Admin\AppData\Local\Temp\77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe
"C:\Users\Admin\AppData\Local\Temp\77d9969fd0ff8ddcdc37dd07151e19fd99cd185e835c6989a6e40fc16e6e7e44.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- C:\FilesKI\devoptiloc.exe
  C:\FilesKI\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKI\devoptiloc.exe

Filesize
2.6MB

MD5
a8d55de2b76be960dc53bfc9c365820a

SHA1
090912548706364ff66988b0a2968c30834b72b5

SHA256
cd430efec11765db83a1dd318a033217ea6481b2fc034f207058e502449b40ae

SHA512
d6129a957c902924af08d0937d2340651281c074a3ca371e04204e1ec30f0178a6a4575ff2a9e9c0f973a2bdb5b234391c1f76a03264f12e8f7eeae9ce41f4eb

Download Submit
C:\GalaxXJ\dobdevsys.exe

Filesize
2.6MB

MD5
64a12114e60392c8cf82c9cdcf735d93

SHA1
740af029ae2cf2f1cbf42d61ba3bf630000db1db

SHA256
797a4d9daa867b6a16974386bc1a64c04081d982fbb97802dc2fc7c89a58ca60

SHA512
dbf7555489bfa1c3267c28b277aad391ecd0c7c327eb10b394d4c9424dc5ab7d497ece6374492c90c15748aad99f71ccf5b7a3638e932c6d7c5d03a71881add8

Download Submit
C:\GalaxXJ\dobdevsys.exe

Filesize
2.6MB

MD5
d494432de6a0af6ed60874057d457ca9

SHA1
925752d0fc78cb4afbe92541a9016648d508b57e

SHA256
213d43c97ab9ffdb1cfbcf8d65abe592dcdee67a766902c581387ccf5c2fa8fe

SHA512
9bbffc9bdac1bc759ec1b6e333aa890e67751a2ad98fa5d16a28d7cc34a08e4c882792b7dcbfb36a6bf22211a747d6f6f6220e8ca2a48848de229a23b10da4b2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
2a52bd0154fbcc039d3af11bd47dbd8f

SHA1
d5d2b96f09a406f68711f9b6495850d848cee1ad

SHA256
0597bd71366fa7fc7ba6a2f5e738576ef2b6d95abed13a4e6769255d49594927

SHA512
1c7be07c73bb3261b7f7c70722db0821d18db66d986ebe5e16c16d9f3a5044bcb2588a6d90bc401207a7a3f096c74eff438c0e8278115e28eed881b3b4c81a43

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
cfc0e03e6bdce50646ca348aa15d3501

SHA1
5b5bb4c1f50e1405a9a2fa6dc61c58ccaacd36e8

SHA256
c0b3d585dfccb5a99234736240177617146e3dee19a00086951c53008d288a2c

SHA512
4c588ee763b8fdf84ae410041f295a991279cba82c3b55047740ea0886e6bc6d2f94980cc2402106824a88fb11b635472e42ef94cea5b4ba748c0b78d52745d0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
a21d14816dccdf7a5384a33857629054

SHA1
3d7a99c092a84234a61e81422774908fee993925

SHA256
3b24d3cf8ccbda85cfea517862a5fc3317daae72d72401c77395055e477e26a9

SHA512
e0ae1ad4ae5be34cb5638c1fc2d79272ee21dcc58a51e2539a7b4f113646df09d4712cb33a0b99efe08cfa87b7ab0bb73e28967eedbd7f9740a9efcd3658c7e8

Download Submit