Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:02

General

  • Target

    bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe

  • Size

    2.6MB

  • MD5

    d144622be621aeaf92ef9dde8fc3d0eb

  • SHA1

    7f743f7e5212d3135774e0ada837b5de463693c9

  • SHA256

    bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1

  • SHA512

    c9a8865b4fe6476e2ffc64fb31dbcb2664c96c5cb423f711d86457b9e1ffcc3f0dfc5b2ca9d13efdd7dfe7cbd9a20f299bd2e1df5b9dd76e00fa00e14057009c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSm:sxX7QnxrloE5dpUpKb3

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
    "C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3056
    • C:\UserDotP5\devoptiec.exe
      C:\UserDotP5\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZ8F\optixloc.exe

    Filesize

    982KB

    MD5

    9ef5dac7fbd87ffdb3bf89bcfc7c5c05

    SHA1

    087d3d897589c0405fc60e3c1306a382a87d4c12

    SHA256

    1ba3a266d5d854e990e04d0d3f9964849e48ed1c400f851f442c1fcedffed311

    SHA512

    27b9ff13f85dbf5afd9b603d8c41c3947a4648fc78ad2a9bfa8c3cf277f89a98ba2a075728a5d118ed8f0233c0dd08b52b335adbf6ce3b161cffeed5e86a741e

  • C:\LabZ8F\optixloc.exe

    Filesize

    2.6MB

    MD5

    561a7d67a18ecca1cacfa37a41330b59

    SHA1

    93d1824595d591a5431b9c3b606bb4d0574b515b

    SHA256

    737f0fbe32b07223369e0777830f46b5c8706a6c249969311ee29acb2e708424

    SHA512

    7537ba9be5ab4ba82b8aa791f29f97524fc666b3b261e9c882603ad6e597dfabeab99822e8ecf03e11f532ba920b64b3e3d078bd40fd76d9f3e3e745b480bc86

  • C:\UserDotP5\devoptiec.exe

    Filesize

    2.6MB

    MD5

    69a50b457a82699512e1ce115c7f8200

    SHA1

    68ae71fb1a529229cebbca1013f3bf520c9cc713

    SHA256

    ece1a4b6e6d3c667b568e48db5bf42716adc80f85584616786b94d1632603739

    SHA512

    a225e6423d6139877c8e1c4606a84cc0064134c526a14ad5da058228b1eab88c18500b3d771444c7595b84b7e5216fd24c7992733eb31dda177dcace512d5b02

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    2467272bbc3bfe1a5fa8914fc39a26dd

    SHA1

    7d1013633498b18e5dc02997d7e549bea3d7fc78

    SHA256

    2fe1d651c3463821461050c6a8a01dbbdb14abae19485ddf0a300297465a7eba

    SHA512

    d309d58e402d0776a60c81c0368790c808c71d6ac759a0922fdb8a44d36921946f68af6d150dea385b101d855f5690a5f2774685513a8ed2fbb7c4fb9615a3a5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    99fb1b66b66821cc18b8b902aabdccd8

    SHA1

    8ef118e05de91beb6f8d2c80d2006c88c5459f76

    SHA256

    db4b40aa48b134644eb2cf488561ec3869b872bd9049996e9f8cf77ccd650ecd

    SHA512

    7381d1a75b92909c3165df2bd61f63ca0e8ba39d865cec15d42cf1185007efe2339a4b4ee0dc0b9b0f7a5960388c6eb3cce905d80fcfdd57b73c6cd32b57e5c6

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    2.6MB

    MD5

    f2eafa825f1801a63dbb4ce5c6c681cd

    SHA1

    fb057224d5fd7386266a14100672f07da14d44b5

    SHA256

    a37fda687aa6fb450b6a891610d60b3de85a74f28416a58196d3b0d9fca848bb

    SHA512

    ce4bf61556c27c0ad59e697483ead1ad729a059cb152690fb15bd2b9c083d727f9eea4718fdbb583448cb6388205294eb5a5513bc6873a0880ca0239d2a001c9