18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
Size

3.2MB
MD5

6733057c3df40829370247b699a3a581
SHA1

29d1f4bf67043f347e96184dfee97bc4622397a8
SHA256

18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7
SHA512

58fbe8a4da38bf460d702f72e5c4d2602da197c9771ab716b74e893f602335291729d46f4e680dfabfcd372d26b44d12f3d78d6ad0d00ad8ebb547beed1a68a1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpWbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe

Executes dropped EXE 2 IoCs

pid	Process
2704	locdevopti.exe
1720	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0U\\devdobsys.exe"	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAL\\optidevec.exe"	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe
2704	locdevopti.exe
2704	locdevopti.exe
1720	devdobsys.exe
1720	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 2704	4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe	91
PID 4652 wrote to memory of 2704	4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe	91
PID 4652 wrote to memory of 2704	4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe	91
PID 4652 wrote to memory of 1720	4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe	92
PID 4652 wrote to memory of 1720	4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe	92
PID 4652 wrote to memory of 1720	4652	18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe	92

C:\Users\Admin\AppData\Local\Temp\18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe
"C:\Users\Admin\AppData\Local\Temp\18a2ac5c4baf460f18a88030e2f8f4c1084beafd126f156cd0bc4e78e86446a7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\UserDot0U\devdobsys.exe
  C:\UserDot0U\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot0U\devdobsys.exe

Filesize
3.2MB

MD5
21e089e19973318cfa3b074a21e26af0

SHA1
f0806a70a3f51f5fb43af65e7756eec9c67cb0e2

SHA256
258657a776f751dca53ed9697b45fe8573a7db4269c58cb62b68f002dab614e8

SHA512
809e83d1e1c797d10169754f48ce40e7dcb6b91c70dfb982a4b0e65aa885c5dd29167e5138c708150d525da1398f639fc7bdef2f9414c117dddebba21006f2dc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
c3118462c9a7ad68a364a58b00379a65

SHA1
2e7fc89f3802c31bc96717cc3041e56fb2224b02

SHA256
42f783a71bb0bbcb8d589c4b2ff0a3018073992470e08926b9a5adbfed5fe705

SHA512
6d2f6d5abcc4f9465575d7eba15e3e04a5d1ccae90da2079b5820191f3d07afa51f2eb158b17f211623c00d8650dccf745718a60105129473af56a7d1a5df61f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
b48033c0374e4eea5fd608c5a5abacd6

SHA1
4098644639fbb9e94e8758d9c1f86ce9fb0d8945

SHA256
96c69ea7e49249e558a1ec951878e480825f298d9b36bc84630712b2c82bf577

SHA512
abf2ec7eb1f7ada439a0170d3b5bbb09b168136598032f0fe39e18a1595d4ddf51ab74a7b0a9d7a45629b6dcd1febb1b3d103944f727d97315f3477391427ce0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.2MB

MD5
0aa81dcf0d30761da8512de575954895

SHA1
81016d0f279ac1433903328c8f2867d51456360b

SHA256
421d315f740b29b4dddc2b6eb8a19d828ed9536f677976229cb153c3cec46750

SHA512
442e0630f6f82a352ddbb0f19f4901de0bbcbb484d02cb17e0677c40637320e453c45711300ade06b96f8e911fe47fb04bd08a924203161a146ade27cd32d00d

Download Submit
C:\VidAL\optidevec.exe

Filesize
3.2MB

MD5
4a79594f2eb648c0dda145dae896b61b

SHA1
834caf65ad86d320d57117f9581120b5a8d2f0fb

SHA256
834ba9b98179b5298f18818211fcdb44435449321556cad0dd9d2b76ed17c273

SHA512
20f6f4d1d1eb9cc24804daeea16b4d641048bbf7399d3d7971f23f890a227cb8aed0ccc289b0a7489b6a841340f63e9089d5d57e8ee716f20a4cbe06044c9efa

Download Submit
C:\VidAL\optidevec.exe

Filesize
3.2MB

MD5
e1c693c46266be0dd9fc9cf7a776ede3

SHA1
b6b0bba4129b46f939dc0b052d0d3b4902e85c46

SHA256
70020a977f57731b4babd278f472c053dc916fcf75d2efc6b7efa30fdb2713c5

SHA512
9e993dfcf9d341b8cbe4d89c0f4e4a37357b5023b52580061d2a2be2e0ad04f7948220bb8f443d2c997a8604753fbd4a5a6e0b510ad1467a639fc3fbedd767fb

Download Submit