e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
Size

2.6MB
MD5

e42456cd503692c77a790d7d8a6edec3
SHA1

af6bf64b482e44feb223baa426393b883922c098
SHA256

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8
SHA512

c9ac8dadeb8fd3b35239f873fc64e5e4090f79caa0ac48cee436fbe5c0ec520e77c311207edee284ee55e02f5b39baf6ce6e8af0304717fe4771c36b8c060f98
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUp4b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
Executes dropped EXE 2 IoCs

Processes:

locadob.exexoptiloc.exe

pid process

2972 locadob.exe
2716 xoptiloc.exe
Loads dropped DLL 2 IoCs

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

pid process

1848 e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
1848 e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

pid	process
2972	locadob.exe
2716	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLY\\xoptiloc.exe"	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0H\\dobaloc.exe"	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exelocadob.exexoptiloc.exe

pid	process
1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe
2972	locadob.exe
2716	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe

description	pid	process	target process
PID 1848 wrote to memory of 2972	1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	locadob.exe
PID 1848 wrote to memory of 2972	1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	locadob.exe
PID 1848 wrote to memory of 2972	1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	locadob.exe
PID 1848 wrote to memory of 2972	1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	locadob.exe
PID 1848 wrote to memory of 2716	1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	xoptiloc.exe
PID 1848 wrote to memory of 2716	1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	xoptiloc.exe
PID 1848 wrote to memory of 2716	1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	xoptiloc.exe
PID 1848 wrote to memory of 2716	1848	e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe	xoptiloc.exe

C:\Users\Admin\AppData\Local\Temp\e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe
"C:\Users\Admin\AppData\Local\Temp\e92ebd3e17088e9ecf9fa5c68013deabd37879c99a4f083b9d489e186f81ebe8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\IntelprocLY\xoptiloc.exe
C:\IntelprocLY\xoptiloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2716

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocLY\xoptiloc.exe
Filesize
2.6MB

MD5
4061ca3ae4de54e194408cc3352c3320

SHA1
1def32489817d1edf15ed414861f008e00e45732

SHA256
a440d1030f1d2eb0b541d49b9f1404088f1a38042d1603119763a1e3c02e17e5

SHA512
08680d74277bf6d7acb655818fda73ca7de14de2925879e0f5e68932b3eebed1ac859f545e59e364ff7cb98ab412a3607eb619f74501fb3126a36ac3df799f31

Download Submit
C:\Mint0H\dobaloc.exe
Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\Mint0H\dobaloc.exe
Filesize
2.6MB

MD5
3bc872d35879afc867f85b725acc0e7c

SHA1
3b0d8511985a796de7e7cbfc3f4805e8e5459f9e

SHA256
9e477a4dc49f352c63aaa5d5ff1bf2b153eedef71631ab4d38f7e7f76c968ca3

SHA512
374f037837553301a751d454a0d2ebfb25a1fc32e5a2b1896fd6cd0a0a6db05d1a77b882eb29e53d63c8299b4440f379a628daead6609d2808b2c8f59cc04730

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
173B

MD5
5ad0573a0e9e2ca0612d6a716d260bb4

SHA1
e746b995897753b23237e7216c1c41b3cea9d9c8

SHA256
05b7423a7145ecd58e1d7af4a732bd70d0b19863d9a8269e18a651a0c2d0fb14

SHA512
612136497e794f6040b4b96933a44da7fa2b159f14857e9ccbfa15b6e5ffa73b3c4b1ad85b3ca91f4a66a8ed9e5c74cdc2819ff14b8c8917ff8ffa8358eaf77b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
205B

MD5
ad82d1f8c3849959e4b778d3477a17ac

SHA1
6f223d4be843d118be3fdc0e94c8d10b3c74cf92

SHA256
25800cc20173904a08476e404126da2fb82e589ad24834b49f2c4c93564537e3

SHA512
45486322b4ba0ff6c8599eb99f651f1c59ec1c5bf65321aa73db334b967b6cc789a5f606546ea4d7e6d1c9e2ff4de4b7a32197209d0b897b844e2f8ac1f7da1c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
Filesize
2.6MB

MD5
ba69bbc85da20c2554add316ef6f172f

SHA1
a18060c547fc06ac8d0b95304ab00e92c8752b8f

SHA256
5582e06510f0862d418f335c5cf21f5831aaa844da57dda1b43ccd0ccd9abfa7

SHA512
fb9b9171c2c1d69be02cc758760783eaa913aa95cf94650f1f4608bc331d79569aeefac8e3aae7d26b275290b91b167f5b00501832de34bd42dfeb0ccc5d89de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads