2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
Size

2.6MB
MD5

b66ffb4704a0d857d711cfce898cbcb0
SHA1

5a596c5156f922bbc8d72de5241af0ab8f30f3e8
SHA256

2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589
SHA512

b3e678552fa0797cee4373d2b776e1946d7b5695dcd943285717b16e28202cf9c7ab05f452653b8bdc61c7b99143b6825eedd2ed8f93fd2292a764f50571c7ad
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	locxdob.exe
2912	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNM\\devbodsys.exe"	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2J\\optixsys.exe"	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe
1960	locxdob.exe
2912	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1960	2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	29
PID 2248 wrote to memory of 1960	2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	29
PID 2248 wrote to memory of 1960	2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	29
PID 2248 wrote to memory of 1960	2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	29
PID 2248 wrote to memory of 2912	2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	30
PID 2248 wrote to memory of 2912	2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	30
PID 2248 wrote to memory of 2912	2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	30
PID 2248 wrote to memory of 2912	2248	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	30

C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
"C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\AdobeNM\devbodsys.exe
  C:\AdobeNM\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNM\devbodsys.exe

Filesize
2.6MB

MD5
a6c5e7ecce3494f0d111c6bfa2b75fbb

SHA1
eb2c7e8948cf80d1f0073064926a2d1c9ee3ef03

SHA256
c26fc08034bdec5571b0ec168dea7d45e16d86fe092416659e274d7cc035ed30

SHA512
dd1570beb7c5afe5e63eadb4dd9bfef61d4027b676692e576fffa9fef97668ae2c1b6107436c78646727a9f7152ee2c030026e2b1f0471c0c0e60ee6ccecebf6

Download Submit
C:\KaVB2J\optixsys.exe

Filesize
2.6MB

MD5
e6626a75d6f2b477b7d0818f3d0d9478

SHA1
b1917f0ddad16066dac1f38a765068ef42d4b478

SHA256
73db243a0ee435d28802cf597f889edb76d2c9b0226829dde00e61d5363b98d8

SHA512
e85942747a913229d91ee3b230c934ab54c05042c9be9029c4aef94bab1d490fc730ba722ef33e16da53f320128ed0b50c8f39f92a5aadd2c67e8538f590c81e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
04c6d8a13ae3a65dbdcf556bb72a539c

SHA1
58cfbc600f990bf957ba6994d1e299b611f1c07c

SHA256
7c5ba40c9942e591b07cc98130fd613b711282dcd1a85d5769eae1b1274b6462

SHA512
a6c06a93868ac3c6979d7805af8514e47eb1922700426ba91ecb585284410273add20f288d5ffd0bfd6aecf06d4b6501b6a6d58a45ae8eb8ebf7453f8278b9d1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
49b7c3658ebf321788bef6a2c1951a2a

SHA1
c64889793ce56ab7a1e632fd525473145136e03c

SHA256
92fd5fe1f0559c80ae4b5c1a4fc7f83691a50e5720d5c84edc0a41de8db3cfe8

SHA512
43911db4cd4f12ca91bae00d6ca059b29c1b45bda5485845c3c3d1e7b7f882b5c85a08fd7e58747cc902fed488e6bcda0f4f6ad728c5bd0ea6e2e12aa1bbb1d9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
1587921aeea223084f1e73f2f327bdd2

SHA1
28eb3cd70700f63459f86938b0c81565232fc3ee

SHA256
f27e7f2a9a9ed9c6e95b955c137e17840dadb135aa4500ef80058c207e91dfde

SHA512
7c5df875ba7dd5fbe87792968ab4b954e3534d2230601c86e0c69b3c37ab40bec919302fd9172c3864d1caaed74408133a9231a3e7d314d984cfbef364bcf939

Download Submit