Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:02
Static task
static1
Behavioral task
behavioral1
Sample
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
Resource
win10v2004-20241007-en
General
-
Target
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
-
Size
2.6MB
-
MD5
d144622be621aeaf92ef9dde8fc3d0eb
-
SHA1
7f743f7e5212d3135774e0ada837b5de463693c9
-
SHA256
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1
-
SHA512
c9a8865b4fe6476e2ffc64fb31dbcb2664c96c5cb423f711d86457b9e1ffcc3f0dfc5b2ca9d13efdd7dfe7cbd9a20f299bd2e1df5b9dd76e00fa00e14057009c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSm:sxX7QnxrloE5dpUpKb3
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe -
Executes dropped EXE 2 IoCs
Processes:
locabod.exedevoptiec.exepid Process 3056 locabod.exe 2700 devoptiec.exe -
Loads dropped DLL 2 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exepid Process 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP5\\devoptiec.exe" bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8F\\optixloc.exe" bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exelocabod.exedevoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exelocabod.exedevoptiec.exepid Process 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe 3056 locabod.exe 2700 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exedescription pid Process procid_target PID 2096 wrote to memory of 3056 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 30 PID 2096 wrote to memory of 3056 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 30 PID 2096 wrote to memory of 3056 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 30 PID 2096 wrote to memory of 3056 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 30 PID 2096 wrote to memory of 2700 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 31 PID 2096 wrote to memory of 2700 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 31 PID 2096 wrote to memory of 2700 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 31 PID 2096 wrote to memory of 2700 2096 bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe"C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
C:\UserDotP5\devoptiec.exeC:\UserDotP5\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
982KB
MD59ef5dac7fbd87ffdb3bf89bcfc7c5c05
SHA1087d3d897589c0405fc60e3c1306a382a87d4c12
SHA2561ba3a266d5d854e990e04d0d3f9964849e48ed1c400f851f442c1fcedffed311
SHA51227b9ff13f85dbf5afd9b603d8c41c3947a4648fc78ad2a9bfa8c3cf277f89a98ba2a075728a5d118ed8f0233c0dd08b52b335adbf6ce3b161cffeed5e86a741e
-
Filesize
2.6MB
MD5561a7d67a18ecca1cacfa37a41330b59
SHA193d1824595d591a5431b9c3b606bb4d0574b515b
SHA256737f0fbe32b07223369e0777830f46b5c8706a6c249969311ee29acb2e708424
SHA5127537ba9be5ab4ba82b8aa791f29f97524fc666b3b261e9c882603ad6e597dfabeab99822e8ecf03e11f532ba920b64b3e3d078bd40fd76d9f3e3e745b480bc86
-
Filesize
2.6MB
MD569a50b457a82699512e1ce115c7f8200
SHA168ae71fb1a529229cebbca1013f3bf520c9cc713
SHA256ece1a4b6e6d3c667b568e48db5bf42716adc80f85584616786b94d1632603739
SHA512a225e6423d6139877c8e1c4606a84cc0064134c526a14ad5da058228b1eab88c18500b3d771444c7595b84b7e5216fd24c7992733eb31dda177dcace512d5b02
-
Filesize
173B
MD52467272bbc3bfe1a5fa8914fc39a26dd
SHA17d1013633498b18e5dc02997d7e549bea3d7fc78
SHA2562fe1d651c3463821461050c6a8a01dbbdb14abae19485ddf0a300297465a7eba
SHA512d309d58e402d0776a60c81c0368790c808c71d6ac759a0922fdb8a44d36921946f68af6d150dea385b101d855f5690a5f2774685513a8ed2fbb7c4fb9615a3a5
-
Filesize
205B
MD599fb1b66b66821cc18b8b902aabdccd8
SHA18ef118e05de91beb6f8d2c80d2006c88c5459f76
SHA256db4b40aa48b134644eb2cf488561ec3869b872bd9049996e9f8cf77ccd650ecd
SHA5127381d1a75b92909c3165df2bd61f63ca0e8ba39d865cec15d42cf1185007efe2339a4b4ee0dc0b9b0f7a5960388c6eb3cce905d80fcfdd57b73c6cd32b57e5c6
-
Filesize
2.6MB
MD5f2eafa825f1801a63dbb4ce5c6c681cd
SHA1fb057224d5fd7386266a14100672f07da14d44b5
SHA256a37fda687aa6fb450b6a891610d60b3de85a74f28416a58196d3b0d9fca848bb
SHA512ce4bf61556c27c0ad59e697483ead1ad729a059cb152690fb15bd2b9c083d727f9eea4718fdbb583448cb6388205294eb5a5513bc6873a0880ca0239d2a001c9