ebaa2ee442985be1f86ce0177910dfa98ddd7b08808219382801785acccaf39a

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3abda73cd97e4ecd2c15acd7b4b18df0N.exe
Size

2.6MB
MD5

3abda73cd97e4ecd2c15acd7b4b18df0
SHA1

c84fad2ca4ea6f2b8f9363cfab09e35d694c4c72
SHA256

ebaa2ee442985be1f86ce0177910dfa98ddd7b08808219382801785acccaf39a
SHA512

26092fa90df86d5beda8a7a7e244461ac41a5d860dafe76e2df2c781f0b4cce21fb414fe8f5926632dc0ec641ad5c34809df11985ee2451d64cf9a7ab8e3528d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUp/b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	3abda73cd97e4ecd2c15acd7b4b18df0N.exe

Executes dropped EXE 2 IoCs

pid	Process
232	locaopti.exe
4824	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWS\\devbodloc.exe"	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAF\\optixloc.exe"	3abda73cd97e4ecd2c15acd7b4b18df0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe
232	locaopti.exe
232	locaopti.exe
4824	devbodloc.exe
4824	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 232	1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	85
PID 1392 wrote to memory of 232	1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	85
PID 1392 wrote to memory of 232	1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	85
PID 1392 wrote to memory of 4824	1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	86
PID 1392 wrote to memory of 4824	1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	86
PID 1392 wrote to memory of 4824	1392	3abda73cd97e4ecd2c15acd7b4b18df0N.exe	86

C:\Users\Admin\AppData\Local\Temp\3abda73cd97e4ecd2c15acd7b4b18df0N.exe
"C:\Users\Admin\AppData\Local\Temp\3abda73cd97e4ecd2c15acd7b4b18df0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\FilesWS\devbodloc.exe
  C:\FilesWS\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesWS\devbodloc.exe

Filesize
811KB

MD5
a6494f7c9e3dc422a527866ca5543c46

SHA1
6fee0042a876869bc9903647368dec0f9cd05024

SHA256
f2faa9593af06a68012dc7533fe9fd699c2084c992ae8bb64c568f21f4bdd37f

SHA512
792fc23ce50c43827d30e60183e2cb18e5e2206242f0d2fbf8b840daf0647eabcefec45d8f4492bb922b4131c712c4df3e542de6150ce021016e4a95cb72e6c8

Download Submit
C:\FilesWS\devbodloc.exe

Filesize
2.6MB

MD5
ee517dcd8ec21fb581e34a1171469826

SHA1
6ee07b9b0e84d64f5900f345436598da95d50610

SHA256
55f6116362faf1737f53d626956542bfdf624cd58f951d1c06c6fdf0b1c97585

SHA512
d5bd16215142d34721543daed98c631e9626635e42ef4d28d39290abf6920b76a46047c80a76174e93590fbb2bd26f663e03def69f3fe144a3305982acbdd106

Download Submit
C:\LabZAF\optixloc.exe

Filesize
20KB

MD5
0a977a71f6366a8037fa6f4c10277d90

SHA1
a470e9bd9cc582813cba16b860a9e866df8830b1

SHA256
919c98998d0ed7e1f20dc0996fbf00f03402f31c0950d03179932b1857b34e96

SHA512
b9ca099f2e6bcef5ecdfa1da6d9994a2a84ff0a37eec88c6f9ea2fcaff817dab79402df8f7348419e77fb703425ffab773491748e901f6c0c18310a162f2adab

Download Submit
C:\LabZAF\optixloc.exe

Filesize
32KB

MD5
b49076433c0bf84919c9872909ac9b4c

SHA1
62ccebdcdf26aab3095a02caf388459acba54554

SHA256
047965653df12ad8344f021b1f08bcf8f2c1d61ab509d61b8d166ad7b0aabb99

SHA512
13bf6e46756787aacb11302c4300040db7eb4fcb38e7f33accfd48dab2ec6ed3056a5caf7212b585485fd71396d534800f9bef245d814f3af4489df0ab3f07e7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
f0e15de835a5492cf0d207ee0baf356b

SHA1
c4c86e7d5c4ef7b7f5d6d2a488ebeccd47834c5f

SHA256
f5088731bd0dfdd476e49052ca53738c9ddc7595fcdb7365e65aaf88735dbc96

SHA512
b81f742dd022c15e243bf35aaef760c0426b2d358fb4fae3a3783e2f202b82278f40ddbf163d20acfeea60ccec5f8058ce38215c87ff4c6035e01d60756d8b64

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
e2aecd1bc6c089418e073558de32ff24

SHA1
1ceab7900494b1c541dc13beeba69fefeda9a677

SHA256
8244ba928cb3710f9ccf5ef1711572834471b6fe883bd17870cacd4250cfdadb

SHA512
e0160884c186c47c57b085815daf938d9c0e046033aad17254f03d5616567d50422741405828ec6eadc22ced8a6990df15871362d0749c084d7c3388545a70e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
0fa055b9af563bcb5835e3d712e88eeb

SHA1
d61f147e83c80f4dd89ee1e0bce6457e8e60a529

SHA256
0369a033673304692037e1b13742b5efe2dbb7357a58a32959e364da65be53d2

SHA512
418d99c003cd1728acda64f92ac7c5c8ee0361720b7cf8c68362ea363636f0c9fab9045571effcfda5d47617f823c8afb78a5ecb9aa10a15ca06b5ffdde44fae

Download Submit