2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 19:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
Size

2.6MB
MD5

b45ecefc0d06e241de6a6f2a8c84f879
SHA1

d7bfd988ff93092f8bfab8f2b59f5bc36b7367cc
SHA256

2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d
SHA512

fcada78bfe17eba7b69566ffe9c632d1d261fe4ebea18367189f87cfee6347ae37c0c6e7b0d65a75ac722e60862fcc9e5fead1476c12f3b79a709ba90402bea2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpCb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe

Executes dropped EXE 2 IoCs

pid	Process
2056	locaopti.exe
5036	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWS\\devbodloc.exe"	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAF\\optixloc.exe"	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe
2056	locaopti.exe
2056	locaopti.exe
5036	devbodloc.exe
5036	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 2056	4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	86
PID 4552 wrote to memory of 2056	4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	86
PID 4552 wrote to memory of 2056	4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	86
PID 4552 wrote to memory of 5036	4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	87
PID 4552 wrote to memory of 5036	4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	87
PID 4552 wrote to memory of 5036	4552	2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe	87

C:\Users\Admin\AppData\Local\Temp\2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe
"C:\Users\Admin\AppData\Local\Temp\2b79d264180830744a84426db276fee14d0e243ca8b10f2aa468ac284807334d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\FilesWS\devbodloc.exe
  C:\FilesWS\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesWS\devbodloc.exe

Filesize
730KB

MD5
3baeeee641e787c3e5b1962b7c67da03

SHA1
09714c1b44a3e99d89169b84faaca43fec55bc18

SHA256
2b803463ac23493981183cfd20749ea2ebe8e1034c92c1e051e7cba99bf7b652

SHA512
1583d6e944fc675813a29b11485ae6f08700379fee5bb67bd1c9379ecf22ca819e336694764bef2f2d0e57b6f8fae6964ad82e10bff2b645b5d9b799ae93b4f1

Download Submit
C:\FilesWS\devbodloc.exe

Filesize
2.6MB

MD5
83f69fb04889447a25427d7566d83e1b

SHA1
7f642eef90de9727f705fee333a056876ba42e68

SHA256
f9e6912c18afaecb0924e3866554ffd8e55a88c9ca193b30f00b91b5a870b735

SHA512
ef3189ca43a0f5c546080c453b96b9eec681ee36e288a16bad940b535cfb2a6fb110700f0c6236b07dbfc2d140b0841215538a60a6425c6a900536ef99ed89c9

Download Submit
C:\LabZAF\optixloc.exe

Filesize
2.6MB

MD5
ef0cb0a97d31350c5f5622eca37602e6

SHA1
4a69930b6168cf173be7836a6a0d5531c06befb9

SHA256
c137a223259c9ac40d1db410b884635551e3aba0508cea454cfdf8a3072ef3af

SHA512
271c10059cbd461f76de0c0757e60a481207978d5585b4fadc11bab6037cf1d55b552f7bacb0b407eb90dad724f59d33ec1f2b06e10a0ce3c23926979406ec1d

Download Submit
C:\LabZAF\optixloc.exe

Filesize
42KB

MD5
966f180f552aa615715f6e8ba8c58a17

SHA1
bfacaa444b38c5f78430b33fa82493cc7e00ab5a

SHA256
4845428cf5919ecfe20bc1cfb9eb5027c7f54fba580c4d822841645fe6211742

SHA512
a37d8d45e0d0ae4c1492dc4e2745c0e2ac7cecebbc848f1ef4a4a83f182957bfe5d82d72290599b4a1fbd526a3d52d72a1a1b4d32eb7c287fb6991e333d1bb8f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
f0e15de835a5492cf0d207ee0baf356b

SHA1
c4c86e7d5c4ef7b7f5d6d2a488ebeccd47834c5f

SHA256
f5088731bd0dfdd476e49052ca53738c9ddc7595fcdb7365e65aaf88735dbc96

SHA512
b81f742dd022c15e243bf35aaef760c0426b2d358fb4fae3a3783e2f202b82278f40ddbf163d20acfeea60ccec5f8058ce38215c87ff4c6035e01d60756d8b64

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
e2aecd1bc6c089418e073558de32ff24

SHA1
1ceab7900494b1c541dc13beeba69fefeda9a677

SHA256
8244ba928cb3710f9ccf5ef1711572834471b6fe883bd17870cacd4250cfdadb

SHA512
e0160884c186c47c57b085815daf938d9c0e046033aad17254f03d5616567d50422741405828ec6eadc22ced8a6990df15871362d0749c084d7c3388545a70e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
b19459f83b14d216eefa516dacc70f7f

SHA1
c01b9a3b6a144c6070ede1689de327bafcc8afd6

SHA256
5f5e8066f4b85958e22ec466137411c924c394b232f5f644b4184dcb435679e6

SHA512
64ff3bd8eccf1b3a00926c339d8d58ad703529510f5d698b282aa3bb07eb7d39d6ceb16cf228a66249c8f1776db00184a2e474bc5f30eb8ece8e00715c96f47f

Download Submit