56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
Size

3.6MB
MD5

813969ce4839a1f38c8ab3712a7c1920
SHA1

eda45ba1c18cc53d6c3dab7d3a1d05af1288726f
SHA256

56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8
SHA512

8157882a2d7ae3d7b7a27f96a3847f37d78d09d9c3df784d781f1065eddb9aca1a759bbb8875c196ce2b694ae4e839317e7d6571c8ff942e67ade498b5e5d1fd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8:sxX7QnxrloE5dpUpwbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe

Executes dropped EXE 2 IoCs

pid	Process
4604	locdevdob.exe
3328	devdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3H\\devdobloc.exe"	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNV\\optidevloc.exe"	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe
4604	locdevdob.exe
4604	locdevdob.exe
3328	devdobloc.exe
3328	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 4604	2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	85
PID 2592 wrote to memory of 4604	2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	85
PID 2592 wrote to memory of 4604	2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	85
PID 2592 wrote to memory of 3328	2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	86
PID 2592 wrote to memory of 3328	2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	86
PID 2592 wrote to memory of 3328	2592	56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe	86

C:\Users\Admin\AppData\Local\Temp\56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe
"C:\Users\Admin\AppData\Local\Temp\56280505356cc5afe5d70864d1b1fa9dd71873362231a03ec9478488465ea0d8.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\SysDrv3H\devdobloc.exe
  C:\SysDrv3H\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintNV\optidevloc.exe

Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\MintNV\optidevloc.exe

Filesize
3.6MB

MD5
969dc01a7855e3a1d0748405c296feda

SHA1
b442e921f2206601b7f367d485cfc628bf2953d3

SHA256
27967059336a743d8b5a7b9791e0fa9ce42a9bf8928f73c24fd2db06c1f2b276

SHA512
290dd39a0d1fd51b918eff4e12de3b33f2718eca6e9bb4d3bd30ac3cec56672d0a8b46315225f8b187ecaeffad879885e94f4406e0d393fcbd9de855ef05c520

Download Submit
C:\SysDrv3H\devdobloc.exe

Filesize
3.6MB

MD5
bc0aca75449a1816ed7a804094e9c458

SHA1
67ec06d37c518056cf5dc9adb89ffea9a14362ca

SHA256
9dd0d8be1bb25437c30f5a063124b6b51792e22288bc509e56fe4b6418d952e5

SHA512
54e871df2bdcb07b4ee8d376aa995b9f33bb464c9cca80b73d6ce401c2f6118fc78d1cd32ad36bd045d4fafb9949e38669ac513f8f69e12781d4437d13c1bbe2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
29068548de3b60bfa54f1cc088304651

SHA1
0383147cfc14fe7f1b96ac330c9dc63043efd3a2

SHA256
c97ecf292abd5775e479a9aa02fcca427e959d3a97eecf7cb55d5abee6f9109d

SHA512
bdb5fe77c85ba27a6ffa019282ea102117bc12004e7d5e591b3eaf77358daef8a778bc09fd06f636fef4c1eb796cb0d27620d23791e6b328c9d9a37f33ca54bf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
0c1753966093fd04c3a3c8196f2510be

SHA1
21aa37dcfbd1b8da3fd707b0d78b21e5b6feaf6a

SHA256
59d7cfeb080e642f8e371e970d5fae798a5ae04717ec566fb42addb2379d2c58

SHA512
a140775515ca960da3a772c78e2dd113e3ea5c077114088c897b60aa2169bafa3c6edf2090c74a6338b318498486908b7fa57de71bd46271c3b66cd3e4da14f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.6MB

MD5
53825dd0b3fde04873a3c5f54a85bc8e

SHA1
ed3ce6d7228718496865dcb524b5c320b429675f

SHA256
6c5da1d9b293e9d9aed4931b987c01882a7cfe8695da5d1c69749d03f14fafe4

SHA512
d4374daab164967805afad61eb8cc898408fa665067da09730e752a2c04088df5c999da492da3efc132ac0dd5798a2956c9ce92183210271a0747789cc136c79

Download Submit