db151a1e2834e88938eecd6986efae314b497137d976d81a216673298fe06100

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

263d293e9ad948b14593f529d9f193f0N.exe
Size

3.2MB
MD5

263d293e9ad948b14593f529d9f193f0
SHA1

32f62e6829fb5806934211670c6037171c1f8af0
SHA256

db151a1e2834e88938eecd6986efae314b497137d976d81a216673298fe06100
SHA512

08326a83c40030a73a90a98b8b48ecfc1eecc99a35e37339acd30ac92e0cf5f22d44d3c8b3a9c9319d38375c50eaa3128c43466a51a869b4d98dd343a5d06794
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpwbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	263d293e9ad948b14593f529d9f193f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	locabod.exe
2684	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	263d293e9ad948b14593f529d9f193f0N.exe
2288	263d293e9ad948b14593f529d9f193f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMI\\devoptiloc.exe"	263d293e9ad948b14593f529d9f193f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQY\\dobxsys.exe"	263d293e9ad948b14593f529d9f193f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	263d293e9ad948b14593f529d9f193f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	263d293e9ad948b14593f529d9f193f0N.exe
2288	263d293e9ad948b14593f529d9f193f0N.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe
2800	locabod.exe
2684	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2800	2288	263d293e9ad948b14593f529d9f193f0N.exe	30
PID 2288 wrote to memory of 2800	2288	263d293e9ad948b14593f529d9f193f0N.exe	30
PID 2288 wrote to memory of 2800	2288	263d293e9ad948b14593f529d9f193f0N.exe	30
PID 2288 wrote to memory of 2800	2288	263d293e9ad948b14593f529d9f193f0N.exe	30
PID 2288 wrote to memory of 2684	2288	263d293e9ad948b14593f529d9f193f0N.exe	31
PID 2288 wrote to memory of 2684	2288	263d293e9ad948b14593f529d9f193f0N.exe	31
PID 2288 wrote to memory of 2684	2288	263d293e9ad948b14593f529d9f193f0N.exe	31
PID 2288 wrote to memory of 2684	2288	263d293e9ad948b14593f529d9f193f0N.exe	31

C:\Users\Admin\AppData\Local\Temp\263d293e9ad948b14593f529d9f193f0N.exe
"C:\Users\Admin\AppData\Local\Temp\263d293e9ad948b14593f529d9f193f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\IntelprocMI\devoptiloc.exe
  C:\IntelprocMI\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxQY\dobxsys.exe

Filesize
3.2MB

MD5
3f824db32ecd75c72147b6318fa5935a

SHA1
94f890dfdb3200f5f29620c18d2b229da3e545f7

SHA256
f417ba328c53bdc98ab270b050078bd16884c8c3758691d7854000b69f184013

SHA512
9c631132c6fedcfdc8e081fd5d9997f8532b33216c9e5b173d9631ab9bab247e77a7821843652336f864d39c3bb2430cc20186f87cb895bbec8f54904d3feba4

Download Submit
C:\GalaxQY\dobxsys.exe

Filesize
3.2MB

MD5
ea65ab3750ed3cbfb88dbbca8d6b665b

SHA1
7f269b2ce6b511b9fd7179fff5d6ac237a1cd512

SHA256
c28c1010d1f7ca1c6f1cb031a2792f7618654c4089be56704a95de1182d8db60

SHA512
c16abf33ca5878497dd53c3cc79677c85d47b32bc709d42b09a4084813050c18f5443df7e68ae76c1b7ed80462b076afc98c85eae007201442966399979e71ba

Download Submit
C:\IntelprocMI\devoptiloc.exe

Filesize
3.2MB

MD5
abc53807550891574d9205602ae571b7

SHA1
73a683d0fdc5023ac871b6bf1dc95d0a85106e1a

SHA256
3b3b08e6ce8c7611bc9336df5a58753bbade92a15269e91fc34631a4789765c4

SHA512
ff034789cd9f6eb2d7c04afb438e3eccec1f0f45dfa56ac3f426a196b4c9a59cb27218d21812467ad44b4c7c61f9c7cc5662c7d00008379b6b3b8115be96b021

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
756d92f7b1545ec0d4dc2ab98ac3e543

SHA1
5bcbabf228b6f8d310b1c0eccde8d3721e320a89

SHA256
6ca0e67c308066292b01bd4de179970f63c82132f3e0b626270d72ca3b18d293

SHA512
374fad1759d3a58efe9eb5833d7ea675d44b086058efb176ef6bf57468380dd4d1f086f518e319a819a3083bb16c07c9296c04b42a14749798a1b8acbb1f4c96

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
f6a66a0e69c723c52842b1712f2a9b44

SHA1
412ab134bd6201613e1e8624a694ac1193306c9f

SHA256
91cdd45b72fba0d6955245fa6b65f87f0ec6f88422e041a84facc0eb3f869ad9

SHA512
a7fa781bb99fa7b0ff511381e91edddf3de14cc66f469489720b814d52db21ccec2683e4c0e5ee7f54cd7189c7b07bbc50b1c8de5c8f11774e395f919b63da8c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.2MB

MD5
9a5c417b5b6b984790a8a1be907c763f

SHA1
c21e4da0fac4efbea408fbc09bf21d8257da0e4d

SHA256
5d159cacf9e2a0bac8fe0b389a1d6142f8c7cf5711ceac35a5f3eeefadf6550f

SHA512
811a3b7d7e1a6718069b19748699fc630b6652467075da5137a687a23f0e2d575490340962ae8d694f1b8a87e0119aaee283dfeaec49a8bd7e3546f492fe9510

Download Submit