a07a7ceff3280e8d8806f65cbc6ac971cf8b6a5f8224727c05dba65bc8d6ab44

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ea8fec7b9ff23a3d8b761f9d1255e60N.exe
Size

3.1MB
MD5

1ea8fec7b9ff23a3d8b761f9d1255e60
SHA1

8a5eb12b7f6828cf5042f3ed64d81dd8c11607fb
SHA256

a07a7ceff3280e8d8806f65cbc6ac971cf8b6a5f8224727c05dba65bc8d6ab44
SHA512

789704e6471198ca00ef009abe3419ee2a8e58916dd4305236498e0074a9a4d754f0f59564d18df3a6ca05f92cb416e66a13903759e5d9971aef3a69f7ad8110
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpdbVz8eLFc

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe

Executes dropped EXE 2 IoCs

pid	Process
2700	locxbod.exe
2680	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe
3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8F\\devoptiec.exe"	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZX\\bodaloc.exe"	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe
3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe
2700	locxbod.exe
2680	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2700	3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe	30
PID 3016 wrote to memory of 2700	3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe	30
PID 3016 wrote to memory of 2700	3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe	30
PID 3016 wrote to memory of 2700	3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe	30
PID 3016 wrote to memory of 2680	3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe	31
PID 3016 wrote to memory of 2680	3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe	31
PID 3016 wrote to memory of 2680	3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe	31
PID 3016 wrote to memory of 2680	3016	1ea8fec7b9ff23a3d8b761f9d1255e60N.exe	31

C:\Users\Admin\AppData\Local\Temp\1ea8fec7b9ff23a3d8b761f9d1255e60N.exe
"C:\Users\Admin\AppData\Local\Temp\1ea8fec7b9ff23a3d8b761f9d1255e60N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\UserDot8F\devoptiec.exe
  C:\UserDot8F\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxZX\bodaloc.exe

Filesize
13KB

MD5
fbe3105945c809e8bf6e00f7fef8ce54

SHA1
e4b4b6a33f2126392c845abd1669f10511f5c42f

SHA256
588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d

SHA512
50cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79

Download Submit
C:\GalaxZX\bodaloc.exe

Filesize
3.1MB

MD5
3dae0919526c9061e2af6bf2fdc7e4de

SHA1
37df688b833738bc2d12027b4629ec4e66ef7c83

SHA256
6d135a60eb5ae20ef86efff09a961affd85749091709af3193e4191884558cae

SHA512
2a623fe2fcb4cefcac0e837675493ac4e7df7f501aa39cdccc2f78e18410a3c6fab14ee21c57ba826ab603238edf8a999ac29a6bd6c4183f695fa57e233b29e5

Download Submit
C:\UserDot8F\devoptiec.exe

Filesize
3.1MB

MD5
dd8d41f17fc4987272e043e35a6b2a9c

SHA1
6859a3db73eabb0b351f73bad2014ccbe19fe74a

SHA256
008a79125b54e08b7b4fdf275c6c23cd44530ac781c0ef5aabccd54f29ed342a

SHA512
adec840cd48a974f36d151c43746dbefb061ca8a0047d78aa6bfb4c489364f210ca52fbb5c401b632a68e5dab73341386226eb4bf8a9f3730d1054046f8ea015

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
b80717c6f0bda5bc4692c36d62760386

SHA1
ff4973e77ceeada13ae27e51a595d8de5d0cb95d

SHA256
17364b9f3cca1674e70635d8d686e253347ac2c1d586140289ca3388c6f71dd3

SHA512
1209d99f1a9531c8a90ff5a4c4f51a01841a39880d0d2eec801aa1ee17e4dad67f23cbcb30f154de148fffeba3ed252b3eda11855d1378f8663e24114317a4a1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
c0fd20f4bf16b94804076da93fba189e

SHA1
9e6d7d4dbe919a594ace1ecfa773163b80c21974

SHA256
4c243661df20b85492525c532058c93f78ed79153bcb96b4dcfbc344a41683d1

SHA512
645ee42da0f8afef57c631a551740c84cb80313f8d28b8a3d01e1f43e846463dfd902a680d086ee4df7f20f11647506a8f61f4d7d8c428a48dc5673c6204823a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.1MB

MD5
7b501ebb1e1265efab36616e436d3a91

SHA1
94e80a304cbd873d2d9512416fd3ca694f62e496

SHA256
5d19040657f9ab0d865b64921b5ed90b33fc8dca7a3802ecb796ed7e17eda868

SHA512
8f7a0013372ddf738c9d0866c5355a9ee67cdc118efdfc980eaebb3d4f01f140c32e0fcd06d43a692efc093eb5715ac2b7775b86aeef40a0a714138c181deb82

Download Submit