5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe
Size

2.6MB
MD5

41d9fd84231478a2d52c3c01badc7aa2
SHA1

b0da3b7a523f402776676792b7175cc559b62619
SHA256

5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef
SHA512

5d18d03ce2bfec3114785082d310939642ed250c91b56b6e88ec4f8d505f9b9b5e1110cf4189b058d965c20fb996bf2ad5c27e69028c929bf19d29d08778ab47
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe

Executes dropped EXE 2 IoCs

pid	Process
1808	locxbod.exe
824	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe
2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFE\\devoptiloc.exe"	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBN2\\dobxsys.exe"	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe
2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe
1808	locxbod.exe
824	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1808	2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe	30
PID 2132 wrote to memory of 1808	2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe	30
PID 2132 wrote to memory of 1808	2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe	30
PID 2132 wrote to memory of 1808	2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe	30
PID 2132 wrote to memory of 824	2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe	31
PID 2132 wrote to memory of 824	2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe	31
PID 2132 wrote to memory of 824	2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe	31
PID 2132 wrote to memory of 824	2132	5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe	31

C:\Users\Admin\AppData\Local\Temp\5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe
"C:\Users\Admin\AppData\Local\Temp\5054a3f0b6b21b87e16475e39609b32686171d57ae5848ceebf30b4b482111ef.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\FilesFE\devoptiloc.exe
  C:\FilesFE\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesFE\devoptiloc.exe

Filesize
2.6MB

MD5
40cc6b86da1e4a42811464216d420fdd

SHA1
d98fb12ca31fb905303a9df26e92d91a9a47d89a

SHA256
802531e42abaf3563f7cb6f2229e3686c74f173c8bc2d3c762c593a5bb7bfbd8

SHA512
d091a747935641b8acc6de4bff626078ecbe570abffa37a2ee72850c673225466be06b0438bc7d4ac57ceab3f3f213450ad8cabb200af7d2147026d7c47383e5

Download Submit
C:\KaVBN2\dobxsys.exe

Filesize
2.6MB

MD5
193423036315db8b243c4cf56013267a

SHA1
9a310f2c7506571e310cc537725c45b0fd680be3

SHA256
80e2f5d2e61a9d7bf42cd8b03a2dc775695ac469d322106cfce0f59f4d1bd4b2

SHA512
49b04640016e544cb449dba5f5ef61176b8f7b8a5117e7b7116c2c32179e19b7b95e16b9b1ad0f1a57419decd2c74b4b51936114aec0cb805b16444eca0267fd

Download Submit
C:\KaVBN2\dobxsys.exe

Filesize
2.6MB

MD5
82e9929cbb289b5cbce1da7a3f50fb85

SHA1
604d23b07bf7790fa242007e95e5a7d41869b78d

SHA256
3f649d908fa6bbeb4b2f4ebcaf85546058a0469fb557acee2ccc4e5c0e1309af

SHA512
5de9992e829f4d6d38639d2ff7228985e9cb346b568a873f47ed5f7399077fc8605a545e9589f5b424f250a9226ff207d609903256be791002cc5eff679de8dd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
47fb14e1a3142a929efb51659fb20442

SHA1
7241dab3d9ac79364d95a0179a00c24b86bd4c8e

SHA256
3fbdf7a1d7b0ed882d9278ae1302052460e1a6044b13c5de865c519ed61d9afc

SHA512
ae90e09cd22c850c07ae709536598ac24f306ee93d16145a6902092565365f6b5e7343b91acc69f23fec0c20fb1cede54647048d7e10b2d1e1a54876b19706a5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
f57a6f8fa516564014b5e6e8b297be1e

SHA1
ef705d8422a4b9b31512ab79cf3df7a6d8b8def9

SHA256
41d2e5e6b99f17259fe1346f43ba4663ff33893dfa57fee938d7bdf1a68c2fc4

SHA512
42f7c0f08c931c34d3157e327a8a378e4f3fbb8d18bbd81b7325bd69b5501bbf4dd3d8551a1795b23bcddeb3e574d9b5173d9db6c679e0ffb3dd2c843cde1fea

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
353e546b29fa4bac65e08bcaa02d6b51

SHA1
6dd363369370d3d8564ed75621540cb5ac9a8c85

SHA256
01ca3478e774761f2b47c0ab98c6f4692c04491cf38fcf7db970ae018138b7bf

SHA512
4cfdd4944bccc2c5bcb9086413cdbd6e4ababbe40590c7ef9e5dc1514e92947fdaedefc51ef4d8b61424d0842cc0a0be610e8fad3fe8136f5b2a5dc0c23a22ca

Download Submit