Overview

overview

7

Static

static

3

cd7e19e78b...4e.exe

windows7-x64

7

cd7e19e78b...4e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe

  • Size

    3.2MB

  • MD5

    052ff82301ca1d527e59fec075ef83ef

  • SHA1

    df525deea057835b27d16158df920b2b1aef740c

  • SHA256

    cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e

  • SHA512

    3d0fae2d8ba99adb133b0f2165c1b62e5f76bca631297ea79db9f62b34c1016c5a50ae6fd5e9ca52cc91af6e80ce5740220b5ac71bd87d11b3d9d28881a3ebe0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe
    "C:\Users\Admin\AppData\Local\Temp\cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3288
    • C:\UserDotQ4\devoptisys.exe
      C:\UserDotQ4\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZXH\optialoc.exe
    Filesize

    2.9MB

    MD5

    a398e775ee70977b2fcef4559231e543

    SHA1

    44bdc194514ab9ecd2fcec6a31896d950fc58753

    SHA256

    4699efd832002765e47dd67e22faf9d96f32fcfccca5b27cc8b42717119dce2a

    SHA512

    8355de04e64e6238f4a321359ed9ebe0b61db46dee6f75ff7a168c1a73e5a3b4a70311ffdae406324fb926b117d6bddc1cf17ae80ba273349ca32254cc98830d

    Download Submit
  • C:\LabZXH\optialoc.exe
    Filesize

    3.2MB

    MD5

    1f6c9b0ef77cbe6ab93308cf23ef2d34

    SHA1

    20211b431a0114aa3df208bda0ab4834cabf6341

    SHA256

    c07febd572ca529c302217b8623b5aeb99e364377ccebf82d63f4e659b6fa5cc

    SHA512

    7c4947e02593c8447d6d978b7c891fe801ffc27e4b011737a734ee8a282d3a80509b393f3330f8f2fdeebd8f80ffc0137589ab474ca4f1d8e7d94959253d0702

    Download Submit
  • C:\UserDotQ4\devoptisys.exe
    Filesize

    2KB

    MD5

    9f96bc76f29d793ab45b1ae4f654062a

    SHA1

    a9bf818d9198d791ad00946e887e72a71ed7dd04

    SHA256

    c3c997aafeb0ebd09d49c4025218a6b5c0e5d315c9afa83a05732b0be7de7814

    SHA512

    37010d647b0a90311ba860866ada29d813bbc72105b182b5ed2c8921151c54d99a94e12fa512acecf0ddedff61703c62a8e22f8abb2a48332660efb7abe8f277

    Download Submit
  • C:\UserDotQ4\devoptisys.exe
    Filesize

    3.2MB

    MD5

    d41d4784ea87533f76fdad11f23965a5

    SHA1

    a25f892dc2f3336e989f78da6697fd8e49df998c

    SHA256

    eb8d0d02dee25ac55f01d93f83acc8aaebd8e29c54b99fa89d7cd1ed5e49ea79

    SHA512

    dc800b3834688423c3567b14906267e9accffc680b1ff90a6994fe2dada9830890cda1f7a06b87bc74768bd4b8b6fcb8583b61b3a1ad855ef496e204a767d9c6

    Download Submit
  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    208B

    MD5

    521f73a98148a08098bf1d6631bc774d

    SHA1

    b4002ccc737a0e0046bd9b58c01f07a40cac2567

    SHA256

    56838c790077a1517bb7b19a7008307108b90c1c598d9c039f2c91fcbcb9774f

    SHA512

    8abc6db139debc5ec194e8c792a1d851459cada2139692e3e760e3ce08e8ec139b88f2986aebc1eee1de51008c8004f46ee4ec3622ba698b921c8f1b21c08495

    Download Submit
  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    176B

    MD5

    a30e689a37b48cd21654749751d9f90d

    SHA1

    21421a2ef98591be1e00709c74834a6831f03c6c

    SHA256

    a5a87ece19d825a80913d44589b58c06d0459556ad3e03a6f093a16220b10329

    SHA512

    e86e5360b0ff59bae0fd171251990617c45be53f2a8182cb116035b543a1bb7638ea8f5773d2720da640bc58a7bf48a19bed55a0354f6389b311e22a0bcea2cf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
    Filesize

    3.2MB

    MD5

    08388edb09b498e722514e760359fd86

    SHA1

    e370d58b8dfe97b48bfca9315d3cd335bf5ba5e4

    SHA256

    1570a3223ca7f3159a7f1676cf7d1994ccd58203f6d7835de2fb6177a75cd6d5

    SHA512

    913f5d45808a13230b34f028580f513ec3d1a14974cdaf18517041d0290f8c0c0b5b9b493a0caf2f178c5119666ee5613de283ce568b27cc834e52e3311986e1

    Download Submit