07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9a

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
Size

3.1MB
MD5

b10d8da598afbfd7bcee9dcc7eea5550
SHA1

02a23f737bda43e5a2ae2a4c6de9b9d91e479ff0
SHA256

07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9a
SHA512

c6c1a39f5769895c6dcc6235b0ee5224615b6fc17e79528661b0a39a6703356218f9323764e2790a1ef9c57d964ee7738e4d228ef90dd242ace20096b317c982
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUprbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe

Executes dropped EXE 2 IoCs

pid	Process
3596	locxopti.exe
2668	devoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintA7\\boddevloc.exe"	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJH\\devoptiec.exe"	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe
3596	locxopti.exe
3596	locxopti.exe
2668	devoptiec.exe
2668	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 3596	3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	86
PID 3088 wrote to memory of 3596	3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	86
PID 3088 wrote to memory of 3596	3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	86
PID 3088 wrote to memory of 2668	3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	87
PID 3088 wrote to memory of 2668	3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	87
PID 3088 wrote to memory of 2668	3088	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	87

C:\Users\Admin\AppData\Local\Temp\07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
"C:\Users\Admin\AppData\Local\Temp\07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- C:\IntelprocJH\devoptiec.exe
  C:\IntelprocJH\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJH\devoptiec.exe

Filesize
3.1MB

MD5
d1f0000953db201b00e5bab6672c93dd

SHA1
10f1fbd821e5a587cc851728c8c53fcb7afbbf03

SHA256
b3262b8689452a4568aa657b22da887eba4feabc1891b0c6c149769ffcacf85e

SHA512
ac90004b6dc799c4ca8802e17b65bda94fff9abe485ffc6528bc353c5ab6f52eb1726c5360d18ea3a25565051fd0807fa8791fae7abb2be601c93577fc8eb1ae

Download Submit
C:\MintA7\boddevloc.exe

Filesize
3.1MB

MD5
2ec1e6d2ffba8742ebecbde9dadb1bf3

SHA1
4351ee2f658397b47c1cf24a5dca7b6fb64ec183

SHA256
626fc4b07c3a60af0b4b81e564f66f9553d1e89a5f4c0ae50f19920d8992b36e

SHA512
59f760e8c93f57256c93a81ecd42df05298b29adb2b1a8fa038a035bcd1ea25d126486c73c3fe519e9821e30001160a6867f46d948975bf60e19fb9943e0aa3c

Download Submit
C:\MintA7\boddevloc.exe

Filesize
402KB

MD5
40e4728cda5c4089580c36f8e90aaeea

SHA1
97a04ac2f21ffdb92afa3eb4f89e5c7d08d4f26c

SHA256
b4ee415901c145059c123327a2962bb24e2fd268144b34e12b99bcca2d518309

SHA512
951cb6d624d3004c2ec2445514fd3991a86594bf21d8d43c38e67bcc5729f2d4f5123d8ed48a2e42b18ae32dedfb30a609488557653938143aad412aee5e0bb2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
c4fea8dbcc4ab832a076c955b12c2074

SHA1
2a7e34de592c5e69ce890fc19bc8b1478fe2a4a7

SHA256
12524ca959cc23bac3da14e1c5ce10ce154d4b647cb767d7789dc3dbd00022e1

SHA512
56b69f7932f85d4850bd09387199761f382bc4e63b1a990c545489341767e3b8de841040bf93c8453431b81096b1b789f02fb8b6b3760803f27c43937d1f7152

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
c4175413964210597ff1e72348080446

SHA1
6aca116d4e8fad09fa1cc0a5da5143764765bef9

SHA256
131f6876275524a0edab58316b1092cec51fa3fd1f74112f826de00c6ad2c58f

SHA512
cdccb0d0c0729f57e2acb22acdb5ca8aad39a104360f29fb011081ad8256bb8fbc8d3cc9503d4262a10396f58dbd5bd8859531181ddbed4ac22704ca37222604

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.1MB

MD5
9f0a749ec3bc3c6f6ca7a97b3a5e7844

SHA1
9d25cf3b5953df7736db70f61b0636cb1454baf8

SHA256
d98c71f2b60071980b981ac53bceeaf45438b8f0ba74dcb37dd98c8148800236

SHA512
cf7bebd62b766b6f24a516d50eb6b764423cb5ba6adc416660e15cdef0ee87b38ad5c7854f1cc0a72de2e07d70a07d4720f834727be3039c06f626b0dec70b15

Download Submit