39586ec3d0ac7905f6efdc22a48dc97825d665fa23bd736ca67d02be2c2307c3

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4c9da8e9c193c266bb3bc2183852e60N.exe
Size

2.6MB
MD5

c4c9da8e9c193c266bb3bc2183852e60
SHA1

796ccbe796a3c93db3267d85ba0e45c70263263c
SHA256

39586ec3d0ac7905f6efdc22a48dc97825d665fa23bd736ca67d02be2c2307c3
SHA512

65e30ab5b575cc816bec19ef6a74728ce0853b8d1b8f109f5e1f21d5ad354958d6becc949bff989ac824a9bddfa141d8ec311b459c1901f3ff19d1140ee23335
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bS:sxX7QnxrloE5dpUpnb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	c4c9da8e9c193c266bb3bc2183852e60N.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	locxopti.exe
2868	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	c4c9da8e9c193c266bb3bc2183852e60N.exe
3056	c4c9da8e9c193c266bb3bc2183852e60N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotS0\\devoptiec.exe"	c4c9da8e9c193c266bb3bc2183852e60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVW\\boddevsys.exe"	c4c9da8e9c193c266bb3bc2183852e60N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4c9da8e9c193c266bb3bc2183852e60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	c4c9da8e9c193c266bb3bc2183852e60N.exe
3056	c4c9da8e9c193c266bb3bc2183852e60N.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe
2488	locxopti.exe
2868	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2488	3056	c4c9da8e9c193c266bb3bc2183852e60N.exe	31
PID 3056 wrote to memory of 2488	3056	c4c9da8e9c193c266bb3bc2183852e60N.exe	31
PID 3056 wrote to memory of 2488	3056	c4c9da8e9c193c266bb3bc2183852e60N.exe	31
PID 3056 wrote to memory of 2488	3056	c4c9da8e9c193c266bb3bc2183852e60N.exe	31
PID 3056 wrote to memory of 2868	3056	c4c9da8e9c193c266bb3bc2183852e60N.exe	32
PID 3056 wrote to memory of 2868	3056	c4c9da8e9c193c266bb3bc2183852e60N.exe	32
PID 3056 wrote to memory of 2868	3056	c4c9da8e9c193c266bb3bc2183852e60N.exe	32
PID 3056 wrote to memory of 2868	3056	c4c9da8e9c193c266bb3bc2183852e60N.exe	32

C:\Users\Admin\AppData\Local\Temp\c4c9da8e9c193c266bb3bc2183852e60N.exe
"C:\Users\Admin\AppData\Local\Temp\c4c9da8e9c193c266bb3bc2183852e60N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2488
- C:\UserDotS0\devoptiec.exe
  C:\UserDotS0\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVW\boddevsys.exe

Filesize
2.6MB

MD5
debd2a31484485124accecbd3f8c2947

SHA1
deeb181aa112d3dd4ffd25edc85b9649f29c1b1b

SHA256
e7c0b2b201a8b00caba521c4a0367025c30e78c01982d491db7dc384a27d4fbd

SHA512
b5fd3c43b071d6dcea7c00018d49af60fffcaa4780408684e90e72fe607494c13f0f953c5676a699179c9ea16ec6858a1c8b291f342cb0ee73a8a18442e050c0

Download Submit
C:\UserDotS0\devoptiec.exe

Filesize
2.6MB

MD5
c941315860f1e93b8c43820cb85f7124

SHA1
692c7e1a787de3b3960627562e32a855c3cf4b10

SHA256
81e4608b82beeeddf4d6ea59001c1a03c863c6d9156f29d1d7adc3e4a67fb4e1

SHA512
caa782c3781f8eec0a6f6067b946d6fe7aca2fb65376213b9156a89cd97f5d58f5f5144011ed813f969a7207fe1e08be8c880fef2ce2698983758986af7ae8df

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
e3ea8d3ad4783ddf3f7178549daff6ae

SHA1
0633f0ff463fdbec7b20c965460da287c4a437cb

SHA256
aac4d1cb93c4eced25ffd845e6a7634f1eac1a2284ff170745f4a89dc604fdce

SHA512
4eb67c9054a5fe039dc5cad6714a83596521910eaab21108cbd13f30fc31cc3fe804f0279bcacde680252a6fb4f0f122c1fd3617d3ccc5159d20ee1533d92250

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
239ee05f6e37fea40040f5403f2d65bd

SHA1
5f1c3f68618da772a735e866b794c522d648e2c3

SHA256
d572c009f423f5b8e121f62d68f6c2f9d5ded550815d0d8666bf955d18076617

SHA512
b63c60aa250c0c78e1ffa87b348f628af002b2fc4aabe6686b618ca1295c1a95fc1ae50faee074cc6c38b1ecf32f6e2785e4128d2467e9f8de5c085352a6f358

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
fc77c59f224b45af47b7931280310664

SHA1
629e3aa93d298771a4c68977db06a907807b4bb5

SHA256
dfae35a72d118bc6e5a757771d8d870b8802d54436f93366d13ef9983c4a783c

SHA512
7e96de1ac0396ecb1fe5f720cf7e8c7a2f95e00533cff8a6573f73e5894332b081b8a607f6e4fe5c1d4c1a882780eeb89650a069e85316c8ca47b447ac156685

Download Submit