fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe
Size

2.6MB
MD5

26c4dd6ea262a31603550a67b181ce2c
SHA1

92c9dc96c22422b85a75c9f4f18605eab6c0e23a
SHA256

fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e
SHA512

a606b147087dcde83f8974636ab1c570a30e8c224912b02d6a406e10c06f911901fbce0bf5d952b989c918e5435af97b42e976948733d7f31aadd2e41eb08172
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpfb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe

Executes dropped EXE 2 IoCs

pid	Process
672	locxbod.exe
2332	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe
1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files78\\aoptiec.exe"	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZX0\\bodaec.exe"	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe
1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe
672	locxbod.exe
2332	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 672	1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe	29
PID 1744 wrote to memory of 672	1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe	29
PID 1744 wrote to memory of 672	1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe	29
PID 1744 wrote to memory of 672	1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe	29
PID 1744 wrote to memory of 2332	1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe	30
PID 1744 wrote to memory of 2332	1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe	30
PID 1744 wrote to memory of 2332	1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe	30
PID 1744 wrote to memory of 2332	1744	fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe	30

C:\Users\Admin\AppData\Local\Temp\fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe
"C:\Users\Admin\AppData\Local\Temp\fd07b903ae5251891023c15b493dc684bf6f9834ac2dd44110edd0f50a2d9f9e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:672
- C:\Files78\aoptiec.exe
  C:\Files78\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files78\aoptiec.exe

Filesize
2.6MB

MD5
087e3b35f2cbf280b4c6f5889465b0ed

SHA1
d342b9d531c985e35852d6784dca92ebe978c39e

SHA256
b88fa79a8ad30a13b57dc39ec9135a9192fdc8fbc19250e04e80870b4a83a66d

SHA512
a34e5ad83f0db363b7c9a3bc2d8fabd6e42a97385a3dba7cbc70624bbe9d2336289d4384fc374df87cefddd7280151e67c2abafec2035e908aeaa64c0b3f4dab

Download Submit
C:\LabZX0\bodaec.exe

Filesize
1.8MB

MD5
ac8969fc0a0d95c32d24b5dbba51a33c

SHA1
b0171aa831d98eaf66569352b76194a917741f45

SHA256
1e646d6624e1a5ea997356d03882d107c100dc04842d177c4888d3d031617efe

SHA512
61b0718e242f2bf974ed1919d73b3c56e3a18b102d56b15f289594c0687680d61bd9f8632b54ab2a7ead6092c340cb4a2c492bf1b749222a952822eb942c064a

Download Submit
C:\LabZX0\bodaec.exe

Filesize
2.6MB

MD5
a53f65f2bf72ae74a9ce5411d082ee2c

SHA1
c87d0c46e2d0b045e92220957d895ace23c76e47

SHA256
6896cecb3f9141025622fb66746058c2249aa698e0288690cf986f937d34eb37

SHA512
b915555995df8daa4715fd36bba335b178653ed4052dc2f4521a649220f18d5baede0b15bedf1e421920f3889fd3b92182053c25c413c99738bc21c5bc52dcf6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
70795fb9d2ad2bd1f5f37b28d7c118d3

SHA1
93f2f668b0c59115027193b7a9a08a09573c68b7

SHA256
21ca3d69876f60ed9848cd5a356d8fe3d36b925144f002d3d1110674026bda4c

SHA512
67d882278f6afba63088936d2ed960a496811e4e9c1b29b80a0a755c712881e85227648100547851c307695df9cc7db278e5a1097dfbe88098c21a436655bb19

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
52105d36e31bbf9d604245fb463ef219

SHA1
a630b36572a233f76b89455cdc8cb957a98e8db0

SHA256
b76f0b9d7e68028034710538ba07c425a3987b2083b547e8aec0f2a62393cbd4

SHA512
cfb0b3006453cc874b654cec38062276e811d1bfafa1759df6a135e7061755321bf742f60b40b7137a9bb16591d77cd110fc7ee22fb3c19eff25296cce194086

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
7747e1e5e1acde8292524b492ebd52c7

SHA1
7f5c8f39215f99358ba9a6a5598212a924756971

SHA256
d022e3ecf0f1ca18a5823e1c5679b89747b629914727a7572743b162a8368576

SHA512
636a72da7f9d54aac0bc8b5df4fb72bc650203da3e770f0326661cb4391851a99de9b857e36d7dcdd63bee2fc5022bdcc8c577ead1fa6890002fa7f4be1ce38f

Download Submit