47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
Size

2.6MB
MD5

c75f8108b2477d5d8ca476ff3f030c00
SHA1

8531b0d56cc07a8e4e04367884cbfffe9b1b5102
SHA256

47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3
SHA512

fe2db60878e9fc298c0496378dccaebe1b013055a4c60a0dec40ce0d4e0c6bb7ff71b9951bb8d27cae117399c5f002f4739f80ba9ce78d20ed7e3d99090b060e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe

Executes dropped EXE 2 IoCs

pid	Process
1984	locdevdob.exe
2244	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRN\\xoptisys.exe"	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8V\\dobxsys.exe"	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe
1984	locdevdob.exe
2244	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1984	2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	28
PID 2204 wrote to memory of 1984	2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	28
PID 2204 wrote to memory of 1984	2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	28
PID 2204 wrote to memory of 1984	2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	28
PID 2204 wrote to memory of 2244	2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	29
PID 2204 wrote to memory of 2244	2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	29
PID 2204 wrote to memory of 2244	2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	29
PID 2204 wrote to memory of 2244	2204	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	29

C:\Users\Admin\AppData\Local\Temp\47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
"C:\Users\Admin\AppData\Local\Temp\47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\IntelprocRN\xoptisys.exe
  C:\IntelprocRN\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocRN\xoptisys.exe

Filesize
3KB

MD5
1277107cabcc016a5fd1f1042e36a2e3

SHA1
d7f8e8f7a16218d6bb1dce7bd03617500801eb78

SHA256
8e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273

SHA512
f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3

Download Submit
C:\LabZ8V\dobxsys.exe

Filesize
2.6MB

MD5
198c5fd3e906ba27aacca4560367407b

SHA1
12d6ddfdc824cf888d0061e7d808061ac19adf91

SHA256
71a4976017e2f205c3806f8a65b2d32ea44531a2e961e45bd02eec69ee6e13cb

SHA512
f7e991263c65d6247b685db94537ecf29c8ebee33d208d8b7298479b0fbdb85699590d29edbb6a5ca1164c8b4fbe3b6a446abbc1c8d839b599d9a06dba3c276e

Download Submit
C:\LabZ8V\dobxsys.exe

Filesize
2.6MB

MD5
69d4af13cb0378bf7ee8a0f1d4a795a9

SHA1
89d0c98ea9bd0d20277052796cf8bdeb2dff862d

SHA256
6b9b39800c19b5bb880b9ecfd80fa63114af4e54240a7e2d87bbf22bfecb7a9a

SHA512
0a5948686fa815f6e991ae07fe87214439a5b97e3dab9842c3d151ec52fb1d7065d22e3a9c8e8b5c93a0caa40def516a03dd4bc2190d5bb3f70a0819e0b1a855

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
d1df8f958a5d7985733739724c5555d6

SHA1
6dccfb13f9777bac674f5701e4da9549b9941f0a

SHA256
09132e6dac2f03f1288ec6cf0d4cfabdb5a129941701f26989a3032204509599

SHA512
4b557384f8ca9712ec60d8fbef2dd4635042d04cd8cf71a9a59d19bebb48cc9a8c1d422c18793917be1015775006400683716508d734b8a8f53fdf14a457db12

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
21ad245dd73da1013f088812c6967c4a

SHA1
c9e65f670bce03751ceba07d0704535ee0026e38

SHA256
db138118d8dc7dd79c6dc01ae7830c63e901ae7e792a238d4c851f37b6f0bc01

SHA512
886ac8673509daa50a69f3a36b7ef5c099280f7c3858015652aa0d01e090747a90a8fa8ed325e2775fcc50fb8981ceb550d032b6b51ed924f95dd509d33aa6b0

Download Submit
\IntelprocRN\xoptisys.exe

Filesize
2.6MB

MD5
bd9085c424d39f24e89d553b00154a29

SHA1
a1c0eb53b6bfddef6f44b3995883c30b3b59f41b

SHA256
3e5b36fc11db16f3b579c4551a7c4603209b0c61448ef3da56009dfd3d04f748

SHA512
db356a8f8ea734ce8ccc0b72217fe01fab681ebe51a1bf3d34678230f09ed2960ba3af60d74b0348c95b0cc02748f551e2fc485c84f474fedd48a32258bbd385

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
e7e43868cd907d41d8f885b1821bfac1

SHA1
c4cda969f07b5edc8bbeab3ec3923ccacb2c6c21

SHA256
fb06237d9770ecba7ab7d0c33eabcb8e96788dcb4eb70297f7978e6cd90d1760

SHA512
4914ed206ac35fc6922c08dd2f4c1dc83eca3bdf3fc60026efcabe48a7a92e5962df559063d9fa70c783b24980df441de1805a9f715f4d171e9d8337151df998

Download Submit