9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe
Size

2.7MB
MD5

46ae2ff7c79c3be6d0c43f95933ac6fe
SHA1

a8e4627d61e101d5a12d2f0ee1dd7f8c1709f60e
SHA256

9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84
SHA512

5415287e796ea86fff71ac65ea9a228525638a82cbba582f86284c3aef3229d36c9ffbbbc8ec6bebc86f46e14bb5d90f77bbe33ad613d5083dc5daeadbb914b1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSq:sxX7QnxrloE5dpUpybV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe

Executes dropped EXE 2 IoCs

pid	Process
3860	ecdevdob.exe
5036	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax9X\\dobasys.exe"	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWJ\\devoptisys.exe"	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe
3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe
3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe
3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe
3860	ecdevdob.exe
3860	ecdevdob.exe
5036	devoptisys.exe
5036	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 3860	3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe	89
PID 3760 wrote to memory of 3860	3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe	89
PID 3760 wrote to memory of 3860	3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe	89
PID 3760 wrote to memory of 5036	3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe	92
PID 3760 wrote to memory of 5036	3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe	92
PID 3760 wrote to memory of 5036	3760	9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe	92

C:\Users\Admin\AppData\Local\Temp\9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe
"C:\Users\Admin\AppData\Local\Temp\9b1e0be995116b03393a001f7d3212ba9d235c4d948f35f87835cc9d2b47eb84.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\IntelprocWJ\devoptisys.exe
  C:\IntelprocWJ\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax9X\dobasys.exe

Filesize
2.7MB

MD5
7f71505765fd41ae95b69c348903418a

SHA1
e52e120418bf2baef97263f725a0d57f7c49ebe1

SHA256
c818ec3989d1db8555864a99c7213ddd999c31790ee5adc01ec94bd4708f19de

SHA512
d5cb577baab24d120c3eb1d9796368f2a5c2e031c5d9a52fbd0c438a3601939a7f142ae15e725d5968d3f598589da14756223ba85deacc2c587cb9ecaa72fa3a

Download Submit
C:\Galax9X\dobasys.exe

Filesize
2.7MB

MD5
a97937d3bd22049a280f707bf0605c82

SHA1
3de40691ec893ae73c9e010d9586a5392ec91348

SHA256
9909b47c324562fba52c15f84459933feda273fe25ba3ae3ec01e4276b425468

SHA512
5201c6c801497ebac66b78a6b2dbb758ff0489477ae9ab8de8c2a52f677827c422264978dcf86bf0594482b102fcb07042bc8ba6dfb47faf938e30711c50b6f4

Download Submit
C:\IntelprocWJ\devoptisys.exe

Filesize
2.7MB

MD5
f8e4d667472fb5b6da62f13a94831b65

SHA1
c18e53f0e28116d94f67dcf031711e263d75259d

SHA256
3a15a539374b6127bedd32028ae4cdc836e7b4cd2a3846d7ca9f1757d539424e

SHA512
95863715f2d0ed28d60c88abb7373fcb44d60ed6164d1215a70f86c1ef31a5130d39a98c99a54f0685a35137048e8696aed72b577bf06ae095fa385ca3313330

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
32be78b14f81cf466cf902fda0793f17

SHA1
78d23ba0392672e9ae1f8b7f9bf055a93acf12f5

SHA256
2f9094157a389b5594e44511248646f5f8fef305ec8733d74edeea8ab2d79928

SHA512
2ccd863c6df4f16df154f0d92a504cd8dde09689062efc65ede58ab3822d87dfab6452c5044d6ff27c0d3fb687539bec8a49349fe9b841fecb26b70cbeff2b54

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
d66c6d469221663584256e76684786a0

SHA1
3835d17a30ae288af5d89ec8c998efb6bb4c6c6f

SHA256
85d8b2f67dd44422fd8392231378a85a35357a1025792c9024514041decd992d

SHA512
ae7b451324383576558f02c16a6f5706120ef3e99f4157b738ec47af302ca016a0429fdc92cb83df5c1cc5e517243c3d09bd6a187af95af5c76438b5a33af2e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.7MB

MD5
97522f6258e153e04952e140b11994a7

SHA1
c7367ba43ac95fbf379204206a8a419e64cec34a

SHA256
a0069b97b4ffe869d62c75a168e32cd78dc6beb1e6f379eb0239cd325bb3e602

SHA512
f29745e62ad2e6243be2916371d99880fb8d8c0a59d4d26ccfcaff10d909537bd5ecbe457b898d36710fa6716b04b390b8337995ffd6039fa706cef0826b7009

Download Submit