1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe
Size

2.6MB
MD5

d05d1c07e7e474246c06a637c5a40b9c
SHA1

0be0f0d12e13666d5d1ec1d5aa1d026e3a801f0b
SHA256

1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0
SHA512

a2b7bcdc9de0fa2464d555104a75990479c198e0eda2785cdafab23a70c4e925d7ab07cebbb647af40a10d5be34f39dcfa3636d89e12c1f59e1b5ff77b1c1564
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqG:sxX7QnxrloE5dpUpBbVG

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	locxdob.exe
2204	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe
2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDA\\devoptiloc.exe"	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOV\\optidevloc.exe"	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe
2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe
2896	locxdob.exe
2204	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2896	2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe	29
PID 2596 wrote to memory of 2896	2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe	29
PID 2596 wrote to memory of 2896	2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe	29
PID 2596 wrote to memory of 2896	2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe	29
PID 2596 wrote to memory of 2204	2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe	30
PID 2596 wrote to memory of 2204	2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe	30
PID 2596 wrote to memory of 2204	2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe	30
PID 2596 wrote to memory of 2204	2596	1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe	30

C:\Users\Admin\AppData\Local\Temp\1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe
"C:\Users\Admin\AppData\Local\Temp\1d23419144e693d03c2b7c119955160dab85f34f9fef2c1e984071e0b8261fe0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\IntelprocDA\devoptiloc.exe
  C:\IntelprocDA\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocDA\devoptiloc.exe

Filesize
2.6MB

MD5
db4b5a60bca794f0389afef96cde145b

SHA1
92eb4606b9b98f9156f03edcfdad4b86c807e176

SHA256
da0e576602d57f9a11e8a12388e1e67242a21e5e5d9cf30c0c9f19ec261b3ac2

SHA512
b71fcf603f50bab9031e1891690625d09c4e93bb8d3943bb5ee3567be30044eefeb0e209e83de9c986dee9857c5788a91f475ac8c1c3c293b3228481e51fd6ba

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
177B

MD5
246990f3df5ee902e609070782234d87

SHA1
baa7294ec0b081c8a4afbd3b3b5d3ae883b6378d

SHA256
ef07da7d2ec485faf199040633d4cc2410c586d5c01d49e8d0ee70b6c0eea449

SHA512
388f423f0be98c33e94798f3b5fc63912a77a099b78baa1096d5b4dc98fb7408f97d09f0e0ba16b04dcb734039057158b5c7a99a6a1f7df567bcf71d6534998c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
17e1756e81b9ccbd5c8310a1eb95a4c7

SHA1
a0daa095a6c26c89e6463218152c376cb5f13997

SHA256
ad90ab695789e54adbda35b86076ffa560ca798d5dc90a4dbe4315c0fb30a4c0

SHA512
c8bca9425ca12f4ad860601dae79645469997215746b9ddc1b246eb23de3430bb88ab95d5b823f28acb23c697a4d951fbc9ba2cbf6dfd7f644e9a3af159ba776

Download Submit
C:\VidOV\optidevloc.exe

Filesize
2.6MB

MD5
7272ea211ce8e5b5a45ab8345968c99e

SHA1
e05d218a0daa3f37945ace122ae35a50a6adeb04

SHA256
2c070cbe7d2bafc6abe38f00e6941042b6f7879bd69d73414f34a7bec70c775d

SHA512
3dc42c20490501cbaacf57743ba5da53dbcbee4d035c12e755108f0d8e91f1f4b017466c00c11df9f54605cdcee930a4db1d09f7f793adc95d430f92d4c5b228

Download Submit
C:\VidOV\optidevloc.exe

Filesize
2.6MB

MD5
5d772574a46d0d07816ff5d9957424d4

SHA1
261223f59678edfd44ddd8a2ff38076d0951376d

SHA256
c032038ae999c80424e1a06fb0d129c5c658fc7f0e3bb092cce6170b7c8dd24c

SHA512
cf8e54a1e4bd4a3bd0b101f817c1ecc84cf0a70f82f3adb0170c7362fd9ff852f5607b51cc7dd3e15f6cdd22d2a66b64d5535d54f6217cc0522a298362c66909

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
f50c41864e373303cc1b390103d0c9b5

SHA1
f91e76343b6e0b0f4cf146261a51291fe24becaf

SHA256
094018a4843d7ab08d10b02ccd6ad4cedfdb3ad72c58eb8375344789ae31081b

SHA512
49a734ab06f65233822d876162a0dfe88eae2a3becf1858884509c194af04a0db0b0b4128ac2ae6df20198fd2e94669047e849165461c95ea5a9b661255ac2b1

Download Submit