06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe
Size

2.6MB
MD5

ff22de3cc0177bea8c011f6e7793a1d8
SHA1

369030f32fa3882a8786d30d2f87d5aef5cad748
SHA256

06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915
SHA512

4ac88369a0d1e6374995e81b8a4e2430b76608200533790cc1aed222f9f1283e58c391767ba9ef967f97845d1df91d32c9ec448e47faea86495e209e38d8bb5c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUp8b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	locxbod.exe
2876	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe
1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTP\\aoptiec.exe"	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFC\\dobdevec.exe"	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe
1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe
2780	locxbod.exe
2876	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2780	1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe	31
PID 1152 wrote to memory of 2780	1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe	31
PID 1152 wrote to memory of 2780	1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe	31
PID 1152 wrote to memory of 2780	1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe	31
PID 1152 wrote to memory of 2876	1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe	32
PID 1152 wrote to memory of 2876	1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe	32
PID 1152 wrote to memory of 2876	1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe	32
PID 1152 wrote to memory of 2876	1152	06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe	32

C:\Users\Admin\AppData\Local\Temp\06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe
"C:\Users\Admin\AppData\Local\Temp\06e8f3eb7b16d7bc4c39a670f2db16a6bfd084e78927ec0ee76293e443ddc915.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\AdobeTP\aoptiec.exe
  C:\AdobeTP\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeTP\aoptiec.exe

Filesize
10KB

MD5
97183a53db85f80c5c65a84230319c99

SHA1
38ebd5b073338c908beb00c4207a9a9bd816e157

SHA256
49a49585b78e1b7d2f4487aa2386e0723707b94dcce968b7599c776fdfbb6467

SHA512
9650b8fc9f5409f50ad57412a9a82bab33582a7e64d3c869fe639c5e7723123b5826bf923b8a7c9c1488641d4e6873ca744ffffb1ccfa4c5656763e0972a4622

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
fe2514cfddc247183a6b1f667aea4eaf

SHA1
f5e006deaf958189cf201e61dafe1da7916b40d5

SHA256
b46e23f8eab6c9802b644b82201e58a9f8c460a3c8d02ca551e7a9710198b28d

SHA512
f0a9d7b3f264a27381633c8a656560039ccafa0ee66de9b90df58a8f65f583635dc5e831981db662474caa5db9076ba353a1237f3f95c2383e7f65caf190ead1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
c80a0d98a56563bf9be7587ed1a7d858

SHA1
a5e4ee75438b8f6fa344f2c48f70351e973c95ab

SHA256
3ca1e14eeca17af324effff4a260506bd8c7ea0166b615ec64efc78e47c6cccc

SHA512
2119538b70c5deb918faa13480accd434a29357b4e2cd803d98792b80aa9d7218f604b8e217ca2ced9c7759d5dee01bf765f15deb00ddc3f1580c3d90bfc6440

Download Submit
C:\VidFC\dobdevec.exe

Filesize
2.6MB

MD5
7e35d4d7c182ffbdb5990e2f7ba16ccf

SHA1
2283ff08b4123aeb34086e8dcc48f4a854b342aa

SHA256
64134d69e16f3e23e0d11f22c6ec9099bb6671cf5592f081f9bed36123872072

SHA512
feb3ed96e160b91cb61980c5780a9e461e0df9287c97d0d23f6db4f88d64aa97819cab444b3986767efa5266e7e184f229c26819d4fe081973fc771a7630e531

Download Submit
C:\VidFC\dobdevec.exe

Filesize
2.6MB

MD5
4034e806a9136fcec30cd1cf6dfab198

SHA1
644933520fba41821495c58229def6b979c7e274

SHA256
75bbf176ffdc0d1087332a2f8bf47e54de47058cd6e5c8ad51a3ea4a5277ea33

SHA512
e68a2eed5ac64eb28bb69ef1ee57ba6fc457b94c5b287b02befc8baf33e87658670674e93f95d7d537f3954a1161bba809b97eca17e5ab4afaccb55e9ed5edcd

Download Submit
\AdobeTP\aoptiec.exe

Filesize
2.6MB

MD5
0973cdf616f614aa4298944309a32079

SHA1
826ac364e08bfd61d9fd3b532506bbf5e7d5db1f

SHA256
b485cbc7fe4600fe81f1fe3916944033544221aa2b423ddfbd2d98f2cb4185b9

SHA512
37fc66933021b84755f3b87d28713c20d6476a2ee874e9d39d64e558f90199bde0bb964c0d3f14a80800ac942cb1cbafe4b1f29df2fa9c98fb9b3a5f76b76fc6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
8bbe333dee4690cd3a5509caf788fb32

SHA1
b746e2509eff7f761393bd844d73c0f41f9a362f

SHA256
212ee34c3147f6dc40365d537c1952af2e5143f0a5f6668a810274d58e3e2475

SHA512
a3b17174e7bc5fe6df578bb4e949edece02e305cb3a2fa7fe1a3b54c9623c3a3f4adea6a9c3c4df1a1e13e2a07711aa2c616ff20e60ed6e01d1ec78fc72db915

Download Submit