b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996

Analysis

max time kernel
150s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
Size

2.7MB
MD5

9f41fe3e32fe71ff439c684260203b4e
SHA1

16ffca1bfc27869f62472cfb4f5e47d9a94d8d2f
SHA256

b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996
SHA512

d84b884333bf57bdf4b8c4ad4ff717b7207761f82506cedfa80da6365e24bdcf468f924986ca024f3c3595297ee86acb72b2776fae1eb14e09bdc86d226cf1b1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSp64

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe

Executes dropped EXE 2 IoCs

pid	Process
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesEP\\devoptisys.exe"	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOU\\boddevloc.exe"	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3412	ipconfig.exe
5080	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
1016	devoptisys.exe
1016	devoptisys.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 920	3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	84
PID 3584 wrote to memory of 920	3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	84
PID 3584 wrote to memory of 920	3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	84
PID 3584 wrote to memory of 1016	3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	85
PID 3584 wrote to memory of 1016	3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	85
PID 3584 wrote to memory of 1016	3584	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	85
PID 920 wrote to memory of 3476	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	95
PID 920 wrote to memory of 3476	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	95
PID 920 wrote to memory of 3476	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	95
PID 920 wrote to memory of 540	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	96
PID 920 wrote to memory of 540	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	96
PID 920 wrote to memory of 540	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	96
PID 920 wrote to memory of 1944	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	99
PID 920 wrote to memory of 1944	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	99
PID 920 wrote to memory of 1944	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	99
PID 3476 wrote to memory of 3412	3476	cmd.exe	101
PID 3476 wrote to memory of 3412	3476	cmd.exe	101
PID 3476 wrote to memory of 3412	3476	cmd.exe	101
PID 540 wrote to memory of 5080	540	cmd.exe	102
PID 540 wrote to memory of 5080	540	cmd.exe	102
PID 540 wrote to memory of 5080	540	cmd.exe	102
PID 920 wrote to memory of 4324	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	103
PID 920 wrote to memory of 4324	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	103
PID 920 wrote to memory of 4324	920	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe	103

C:\Users\Admin\AppData\Local\Temp\b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
"C:\Users\Admin\AppData\Local\Temp\b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
  C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:4324
- C:\FilesEP\devoptisys.exe
  C:\FilesEP\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesEP\devoptisys.exe

Filesize
279KB

MD5
4013bc05c39f059641052b196e5540d1

SHA1
df976eccf3b0d3ddcb578635cf35605b6f150832

SHA256
ae3976f41119fbf791d3bea297caa7f1bd68bbc135f2c8a80b8b488ad3386f19

SHA512
201b7614694b96af26ed525587ca0baa67fe7a5256c389310c6898cf60175d420ba06bb3bcd9f2ad76b92281d104a72d422ad374d7079213eaa04870297dfdaa

Download Submit
C:\FilesEP\devoptisys.exe

Filesize
2.7MB

MD5
ddbe3b58f798d62221befea489b3c2a2

SHA1
7351be65b00d618060a87999fcef184926f484c2

SHA256
5cfbce009a00da449645b37864ba6060c76bda0414a3f924896f736b26f5e120

SHA512
14cd3c0a154d2e48217608f9e39e457ecd34cc55a4fb50c6134ca480fa18bad077190a7cde523c156a8dea134115a87ea7f20dde4dee353c081911f1a9c67bd3

Download Submit
C:\MintOU\boddevloc.exe

Filesize
1.5MB

MD5
67215a498bd5f2a77d7f79fe2c581dae

SHA1
3193c628c0aa0a6fa55d259e4fc4c56c0ec66a95

SHA256
f504ef313d3bd07b82b13f3746e91cda272d32401f767aacbc267b902157b454

SHA512
0294af170801f817926b5d73bd08e24597e27c3399eb60adbdf5034426ba2d7d60ae6b5533f2ca122637da11b1d86765f1b0d57f7110d425eb846b1b113eb82a

Download Submit
C:\MintOU\boddevloc.exe

Filesize
1.3MB

MD5
4a7b296a3da056ee3f728bd48185ddb5

SHA1
40e2e969e2b80248006a800fc31d6f6afd0c9466

SHA256
eb2841c0c7a0ca1b3d217bd11d5149bceb3bfa162c1166fb1ee48d8d6f264c8e

SHA512
2d0de4bfbfe6fcb224c53144582216a595b1ddbc579b412d5ef3b907864b31fa4b4eb8beb74be21596521e7b68291586c4fe7e03efc235435518428f49017980

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
f225d59c3939e286d888b8896e26d150

SHA1
d2f28fea96e64b035abd0fb5794346a31f54f745

SHA256
b6bf087b6ff21b939237ec2f58103fab5bf7a1a47880419e643cc126d7b80ba7

SHA512
7f790a4e4d15a2d8450479286dbbbfd70e5f0d4e46275cba186b5015c92b7670f1126e2f6aaafdcfefc94e98e5751408f00627302f6a30fddf9275fd543180ba

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
f43c5f5fd056c101ae2442c39918fb62

SHA1
de5b81431bcd0eec11374ed3af12dae360a4cdef

SHA256
36881267b7d45707facd9b954f46c1cc9373dd1d2b263f4315291d076351185c

SHA512
abd1e1f10ad929abfaa5f6332fd29603bdfc7c56cc785ea3ec0e16113e63d7af50acd73974431e9333c052139d7bd14492150962c86e1b28a23b2138076ed684

Download Submit
C:\Users\Admin\grubb.list

Filesize
39KB

MD5
bf2dc7fc7b6bacd0061c867d8ba643fc

SHA1
5b5b4fcb1555d21ae3661429c5b72fc781651a26

SHA256
bcdf0cffba34c802d9c229bf22c86ed6b7fc1678cf5ca5571a3f6d3da7df27cc

SHA512
42624f9257e3c365cabcf2b16b6497c6c74fc87ae35759c5a80b5b721aef3b21e61dd13a2d4cef3a53f989a40900e48694ee9ae118527103b74aac89d11eae36

Download Submit
C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locaopti.exe

Filesize
2.7MB

MD5
196d281a4f388e92238b816556864636

SHA1
c57c17f454944bd62802dd19d2020e26593258cf

SHA256
65f8e588f178a6a1ddaf6903eeab3b81bf4b854c3aeca313142cc0ccd5d4f07b

SHA512
5c85c3a3ecef5d77e8f0a994265d2eae1fd656324c52b725a3ab76e438d5fc2c725e9a9255c13c3381569dd8fbe32840f7d1e028fa477de50a15309511923e53

Download Submit