15effab62ee6634b924c59c34fda08925c8bc9ba7e27af6ae7b8dfec28080819

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f57618b6ae472801efb055af4a8ea00N.exe
Size

2.6MB
MD5

8f57618b6ae472801efb055af4a8ea00
SHA1

c68462d62859387e370f1c638e1183e765f660ea
SHA256

15effab62ee6634b924c59c34fda08925c8bc9ba7e27af6ae7b8dfec28080819
SHA512

0efc3685e4d66772a3d6068882e2927e17bc1d4526f6f346b107dbea59fa85ce2eac4254a4df2a0dcb4d0b4a4b0a1f5579f29a28aef029ebd353a28b21fa8e8a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpIb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	8f57618b6ae472801efb055af4a8ea00N.exe

Executes dropped EXE 2 IoCs

pid	Process
2516	locxbod.exe
3060	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	8f57618b6ae472801efb055af4a8ea00N.exe
2668	8f57618b6ae472801efb055af4a8ea00N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ2\\devoptisys.exe"	8f57618b6ae472801efb055af4a8ea00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBNQ\\optixec.exe"	8f57618b6ae472801efb055af4a8ea00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f57618b6ae472801efb055af4a8ea00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	8f57618b6ae472801efb055af4a8ea00N.exe
2668	8f57618b6ae472801efb055af4a8ea00N.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe
2516	locxbod.exe
3060	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2516	2668	8f57618b6ae472801efb055af4a8ea00N.exe	30
PID 2668 wrote to memory of 2516	2668	8f57618b6ae472801efb055af4a8ea00N.exe	30
PID 2668 wrote to memory of 2516	2668	8f57618b6ae472801efb055af4a8ea00N.exe	30
PID 2668 wrote to memory of 2516	2668	8f57618b6ae472801efb055af4a8ea00N.exe	30
PID 2668 wrote to memory of 3060	2668	8f57618b6ae472801efb055af4a8ea00N.exe	31
PID 2668 wrote to memory of 3060	2668	8f57618b6ae472801efb055af4a8ea00N.exe	31
PID 2668 wrote to memory of 3060	2668	8f57618b6ae472801efb055af4a8ea00N.exe	31
PID 2668 wrote to memory of 3060	2668	8f57618b6ae472801efb055af4a8ea00N.exe	31

C:\Users\Admin\AppData\Local\Temp\8f57618b6ae472801efb055af4a8ea00N.exe
"C:\Users\Admin\AppData\Local\Temp\8f57618b6ae472801efb055af4a8ea00N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\AdobeZ2\devoptisys.exe
  C:\AdobeZ2\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZ2\devoptisys.exe

Filesize
847KB

MD5
0eca572be33b61cfc93650a9674d2caf

SHA1
75791c0d4189738ce02069bbbea9245a61a7b156

SHA256
1c36735fa0b947f2f42c2845a7fd2f3ba50d3a8128e03e3b9b129956453f8dc3

SHA512
f043410f0b12b0a7cd04c10ec45ff65e9e88e753790b6bcf32ce279bcff1a9cc403e7de57f01a8150d150cc764fcddc7a2624b62de97ee1f46d5cf47a5f7b8d0

Download Submit
C:\AdobeZ2\devoptisys.exe

Filesize
2.6MB

MD5
cdd3789c5df0a2a0a6248ddde1aed8d6

SHA1
68450840f24c1b0182c12acd41ab60408db3a93d

SHA256
3433c3b6968cc9c905c14db0c8124e2c06878f449869086975aa5e6eb83da593

SHA512
4473fd8276ce744289b3484efc9de86f3b4eac513123403a3b17bbb54a18411f521c89ac00d217d03dab2b77e1be4f4412d1c3be0b4e3a5c7b77905acc917c5c

Download Submit
C:\KaVBNQ\optixec.exe

Filesize
150KB

MD5
4ebab2fcd0f60089a18e5e904e2af4fb

SHA1
dcef8199387ef179ec1292cf89ac0a8ca3c45d67

SHA256
55a486a0f7d8f76f4b3810bd13c1112f14d6f5f5deb36e24514e3ef53a9d6e79

SHA512
e33b0144f4cbf77fc44ce2d3cf72be91d034c354226108c8ed3db95d38febaca026567c6d1ce3e25cadde5b5f242168f80ed9e6b95777b81e7c512e6060b7bd4

Download Submit
C:\KaVBNQ\optixec.exe

Filesize
2.6MB

MD5
0a4cc468553b0aae8a44847b2c2becac

SHA1
55f198793fdba6e4cb39c00a9c0b40384d79159b

SHA256
c8a5f64e2d513f2f9d4775669b7049394c2ca605b5e48bf877609afc5543e1e8

SHA512
ffa6cbec3072bc8ee189d988198b2917144e38574bf35ae9e09b4bb28bcbc6ba4fee21a8c6d7ffb28df8e1bb5eb916748067cb8a705dfac0a3273096bc7abcdf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
a4f0279a0cd88f1dd5f30af33fd0c49c

SHA1
05edd269b7866ed803d9955381a8d668002ba0ab

SHA256
d69525fbe184778f9ec3cd1c7c02e4630fe5febab45c400674a1654c92d03290

SHA512
67b38802eefa2b1be15374a7f6707b61a51264b6ed88539c52d4eef2f9ca43e25499f194fe19e64caa0ec9e52d884e2e215941b2e9b24ef0bfea2f8b0b3d9efe

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
1c00f317e8fde1776ac716d828b4fbfe

SHA1
d1c9082d3ee1d53120ee458ee82567ee14569c87

SHA256
31f70991ff5acaf0a4ffefdd2a527542d5be16e3bbc5ed6fbead945f90b77974

SHA512
afdeeca78453d612fe5fbe068c3e0b7aa741bc79b80f8a482d96f39e0018b111b1763c9268a0a398d9e077ff875961c38ef41045863e277f1a0ad2a531e29f87

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
04037886e0fd5e161f2d753039da7098

SHA1
4f31efd6c1fd65e31bd3af131800636c5506880d

SHA256
60d968102aeba397bfddf7a61f5e5bc9323e0912d46c412e9edfba819909c268

SHA512
375a69de728218efafa75a9e3745581356ef38e5f3c3edb6998f6b0b53d1200d35ed12f2024a343149caa362c7c44b3cc4592de3711193dcd0b44ebba0167cc9

Download Submit