0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe
Size

2.6MB
MD5

199947d24d7935e4d3b0291ec6225048
SHA1

7557d2841a9912a08c70fde641584b16c484261a
SHA256

0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac
SHA512

5aac12223a622a4923a47f9b4412cc0259efed39c44f67c5b5d158a4c87692b9a9ee44d9f82df58150aa51493b5b3124fdfe1007adc6920a2e431f01eca7dd9d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpdb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe

Executes dropped EXE 2 IoCs

pid	Process
1696	locxopti.exe
2428	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe
1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQA\\optixsys.exe"	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHH\\devdobloc.exe"	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe
1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe
1696	locxopti.exe
2428	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1696	1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe	30
PID 1484 wrote to memory of 1696	1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe	30
PID 1484 wrote to memory of 1696	1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe	30
PID 1484 wrote to memory of 1696	1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe	30
PID 1484 wrote to memory of 2428	1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe	31
PID 1484 wrote to memory of 2428	1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe	31
PID 1484 wrote to memory of 2428	1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe	31
PID 1484 wrote to memory of 2428	1484	0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe	31

C:\Users\Admin\AppData\Local\Temp\0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe
"C:\Users\Admin\AppData\Local\Temp\0a87a845c5631073aa43943d5ae11e53f4b134a95f1b83ff39052154a2eb9fac.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\SysDrvHH\devdobloc.exe
  C:\SysDrvHH\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZQA\optixsys.exe

Filesize
2.6MB

MD5
db663191ed072d6b45fae642f273df6a

SHA1
a679c658e66b6bddca99e4320831d1efb3267ffb

SHA256
947b757e931098a7728d1b64bb919c7f7a3076dd82c82687702684b2220ce57a

SHA512
f6f883e8fd3343c1870b853289f2f9c3ad0d184371e3a4e808c388d1f4439fe84410ee9234213e50cec24a2e7a4bc51d7bd49a85d827ba6cd18b1b9e1cad9789

Download Submit
C:\LabZQA\optixsys.exe

Filesize
2.6MB

MD5
52c4644a3b0c95c444192bbdd59df266

SHA1
c4f244a83e7cf1ac18285cad25debbaf0de31686

SHA256
9d59952efcdaa9b959e5e37f4a29c2dcaba2cfd51a4f1b95933754bf4da2faf1

SHA512
812e65e52067b0225fb5593275cf4140bb9810766199236cb2a3dd36e0096e7b1a1c33ff976258909ecd0848ed0932eceb6fa13d40091320a03058b2bd3f0f54

Download Submit
C:\SysDrvHH\devdobloc.exe

Filesize
2.6MB

MD5
94895d6a12c27455cc1fa385c741e4a4

SHA1
437a1abf1ff24741994683e33fb368eaa01366ee

SHA256
73785b6499aba09b0147632ea0914ca20a61abf1780e62dc19f7dd10aad00a84

SHA512
ede9b9fad720f6d840de6238411455b221268d5cb2578031584da84173554a32840b67f1138f85fdfeb3e2ab653b7110fcdb89ec8254fe53c29d7f48733d480f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
d0825fcebef5b1d9c4da090bef7594f9

SHA1
4301951e875e01ccd7bbe09769c34423527aedb4

SHA256
996268ec0a15268978b79a17432d94d38f21eaeaf4dae07510f171b71bed57e1

SHA512
dc436108b1cc5a7ab4d8aced2bb630c15254400d2800214841c02b650efb8185e9fc3ebf123358b41d601441d9c3203d277050aa1bf1eea238e6fed5df7c11a7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
e7bb6e8563c10a1735fcdf00c5e25adf

SHA1
6df2b41cccba077fde9e5315008970354cb41f72

SHA256
d04495b77994cfeff2e296fa2b6d8ad3b376ae9d61691fbdf3c55548468da5ee

SHA512
dc51b19355c58c6fe0573789891bc8fbdefb48b8983339460b09ee9991215e914c122b2f5c757ca4cda2640f2bd2b97dfc319575c2b6e1f415b773ac1ee030e8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
37fca2dd8a3b13aff50c57c53ff8d143

SHA1
1acc8d9b2530659593955b812afbbe585111a669

SHA256
caef5111d6900b005c37c9f1f5d6c5d21b0c362f3bd7dc9ad8484093ee4d144a

SHA512
3c4d9a4b08de18137c0288e0bafdf38982af15ac2c6b9241a200c4a5ca23ba047f597732b9264d34ddcafe97358f47898189e8e474b896fec268c08919b8b235

Download Submit