c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
Size

2.6MB
MD5

fd31ea45aa1aa63450a52ad57d20ad06
SHA1

71378f4186e13d606df52c1784dda9d4dfcc954d
SHA256

c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7
SHA512

6c582c1870d7b7aad8da185de6a343e58d9b7484b3e307f35aa1fd0e9213665e5414c073963a8af670259cb352b04b22ce9a31f734ae5eabe3066e33c47a6b36
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUpJbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe

Executes dropped EXE 2 IoCs

pid	Process
2760	locdevbod.exe
2680	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePC\\aoptiloc.exe"	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWR\\bodxec.exe"	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe
2760	locdevbod.exe
2680	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2760	2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	30
PID 2648 wrote to memory of 2760	2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	30
PID 2648 wrote to memory of 2760	2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	30
PID 2648 wrote to memory of 2760	2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	30
PID 2648 wrote to memory of 2680	2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	31
PID 2648 wrote to memory of 2680	2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	31
PID 2648 wrote to memory of 2680	2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	31
PID 2648 wrote to memory of 2680	2648	c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe	31

C:\Users\Admin\AppData\Local\Temp\c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe
"C:\Users\Admin\AppData\Local\Temp\c7c3d3d220f22878b4aab2b25ae376d00c0ec31cdc8d52213b7a5dc007a11bb7.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\AdobePC\aoptiloc.exe
  C:\AdobePC\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobePC\aoptiloc.exe

Filesize
2.6MB

MD5
826dfbb903aea30fafa9ae914503c436

SHA1
bc7a0f8155de78799d64a82af3919d1db254a16c

SHA256
a38ec0546b171094dd15b67476e40176d7e0cbb491bb60207479aeeb54467fae

SHA512
d1a3d0602f8309803d6500484232dab76db5c87e567b6dc9531b9fc54d4f443e7080165c891ed442a6a28a98498ae3c630c4558e23a2c10fa44ea3607810283b

Download Submit
C:\LabZWR\bodxec.exe

Filesize
1.9MB

MD5
1915fdd937da72ae64b0e4efabb29568

SHA1
e306db7d90fae6039909a04ae7e257fd803536a7

SHA256
fbcd6d33e24252269fd806045921bf489428be0ba8d67c853a2104e25ec156c9

SHA512
fe533c42e713f5f3e443a1b480d83c005acc09bf41b0eeb26bbb5ec1a1766acff272f58264d99d53c4a5a76f4309158c70f1859de80f94d71174b956dceee86c

Download Submit
C:\LabZWR\bodxec.exe

Filesize
2.6MB

MD5
edff35cb8f33c3714b4fd7d0d25b24d2

SHA1
d3f28140c0c017329ba40818ee7d8054f9aef753

SHA256
1a28133036964f54299952a2255cf95f5a1a635a6c618891e1ef0d7246bdc939

SHA512
b180d63bef0b74b1feea3cbc68568bf42109429430507e70922c987945133ddae1302af8c1c0c365dfa22796c399c646625028b02d375fec79d4c32371c260d9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
bd727adb4f7e33b7622ed67baa9a072c

SHA1
b7301dfabd4bcb561d84484f936d692686b41e3b

SHA256
13186fcc7405ecdd12d00e61d2a0e9d7703559e9a1c6d4a3fed34542cd0f57dd

SHA512
4dc0706e347d753ddec1e7e5b43da809e66feb972587648f074a01b6302ac4f8ced1e7b769d94dfcc190fbe248f4f8dff20d9420de0fe4e3a7c077cbf659b344

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
930c3cd03f180c79beb07590836c2092

SHA1
5e3dbbf6b5baffb84df854fe456b1912b0f68e3c

SHA256
bc7569bcadd687bad8709d5b60616df2d2ba419854038e4f976511f0d6d93b85

SHA512
445881fa9184d9e4cc7899b3e5943fbb0310786ce2e00df04d902f54a00cc20b50bf19523ff8435cb36c45f27ba9723cb3ce9fdc9a15c4158524793954c1edbc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
b633b69cbc34a1a4bf4057c70ff8e8b9

SHA1
d337807d90e65347dbbdcdecd75df1c5975bdd10

SHA256
b5219704272aa69a88150f5e11bf107604e5cf9b8ad5076982071d2f6c7fb03b

SHA512
36b33ed9be82765efc27dba9da2bfd7153ca8e47f5d053afee9504b0d2fd04872da9ea72a987f9d2f9840b37785824b405c8bb9b27b3817e2bbcc9a1aecf3f52

Download Submit