4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
Size

2.6MB
MD5

d2964565021e5b414dbb62339f1f9b2c
SHA1

33db008120a7ba5c2c2995cd29ba2abe988b592e
SHA256

4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48
SHA512

be64b1dd1f2931310a4a5f1bdc28cb1f29bc2466f0a4342171249a3918034ea194558dd418369c8c6f48ca77f636debe16ae7a47c263e1d49284205abdf17315
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpxb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe

Executes dropped EXE 2 IoCs

pid	Process
4864	locxopti.exe
3680	devdobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKU\\devdobloc.exe"	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXR\\optialoc.exe"	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe
4864	locxopti.exe
4864	locxopti.exe
3680	devdobloc.exe
3680	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 4864	2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	82
PID 2908 wrote to memory of 4864	2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	82
PID 2908 wrote to memory of 4864	2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	82
PID 2908 wrote to memory of 3680	2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	83
PID 2908 wrote to memory of 3680	2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	83
PID 2908 wrote to memory of 3680	2908	4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe	83

C:\Users\Admin\AppData\Local\Temp\4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe
"C:\Users\Admin\AppData\Local\Temp\4b242d222e3752df025552e3c8376d75e1eaf96033de5cba02bbad2062218b48.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\AdobeKU\devdobloc.exe
  C:\AdobeKU\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeKU\devdobloc.exe

Filesize
732KB

MD5
fefb0632974ca44bd533e1546cf4c9e7

SHA1
13afde2314df9b3e2e1efcfb95b5d2a3ef31d3b8

SHA256
a6119347905bf23f1039c1932fc08d7351396156ddf9ea629ce0ef24b3e3600f

SHA512
014ba1e17e4ea15b89c8a5fd0d11cb12f0ea13519b7ebb9e798acfc6cc0af4e2d15ec0d34654e45b1ca3adc3e3683f6df3b2e068d050eb5a54338a45fa6c6df3

Download Submit
C:\AdobeKU\devdobloc.exe

Filesize
2.6MB

MD5
92aa1060077813bdaf103a38ebc00ef0

SHA1
9829ee25d2187f126dea4a92dd7537d5b95ce367

SHA256
00a3f901fb1a22657280830654387b84d09e036558c7c6b5ccea8be372bfa378

SHA512
514409fe0588e4cc082605b7d882e0817b302de1f9efee89563b1f7182335782ee45f81f924ba212e9d2c0c37ad15762cf94cabdc6073cc8d84be2e53694a965

Download Submit
C:\MintXR\optialoc.exe

Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\MintXR\optialoc.exe

Filesize
2.6MB

MD5
4dc388021f09df48d857d91f7e4339a5

SHA1
292a8724f0333ec13589aa53b22f01b4578a0e7b

SHA256
a1c8ce014fa45cbf981300dd979d2e13e4c19c105c105f75b93c2f0fd8db82a9

SHA512
b48449a979b6b41beb02215994bb7c8c8ec82001105cb5036a8c83091ca0e363d82507e542704674106ab1c7c1ed98fd974f523dd0d7b8a840f1ae4736033143

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
453813a0e6074a631b7c54083e8fef49

SHA1
3e26a52335a9abafe609d69d3b8fdfe6a7db1ac2

SHA256
1f41c5b6ee8551b5c7bfa9ca3f93ac859a5fd2790832e4aec4ed3437c987bd4f

SHA512
a11f3a58b58f989678e58f79daea46386e62889f04965c2ad1c8a08eeae0c626bbc814013c099de72174762733029c33f9a1a68bd56cbe1484d79f6d28587d0b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
1d0283af91bbde13b308f53d22fd9702

SHA1
09241e953699e5d419d582d01d0fbc52a4c08c36

SHA256
3577cd22aaf3ee1a624292dad37ec8b4033ec5721935834e148eeb11cce33c63

SHA512
e450b5c7ea7302895fd1701ef96d23507344bb31d882a052d15f8773d4cc78fca2b2fd6816e19e88e0bba5513a69217566038c6ac2c94ecae739f74067f0162e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
32b69c8771b1a48143e7e920956e1a81

SHA1
bb89c36c5f49f525385d5e5c09e2bee548061626

SHA256
b343a5e6283fc961a79e63ef035c4c9e9a6bcb02e69eb551a51a25066cb0606d

SHA512
62dc54621840e48eb708fc53e00218cf03fbd8f010613793dc96ce20ed291a1e27edc47f655aa6fde47b7bd928858d0c9a4710425da8cc642c25d0120f78d4f9

Download Submit