3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
Size

4.1MB
MD5

6dfef0960942fdbe4855fa92f26df56f
SHA1

fdb3c82bdcd84bea803f3a219b0b858f0379f3c8
SHA256

3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360
SHA512

76a40a3063c6afae8458626a716d671b43d7b6f569bbe1510f85e7c6675a62655b3a0ea0839936c0a888041e897e55acf4fb5786df38ab2fbdb24ffd55092eeb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	ecdevdob.exe
2640	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYC\\devoptisys.exe"	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidG3\\boddevloc.exe"	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe
2504	ecdevdob.exe
2640	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2504	2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	28
PID 2972 wrote to memory of 2504	2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	28
PID 2972 wrote to memory of 2504	2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	28
PID 2972 wrote to memory of 2504	2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	28
PID 2972 wrote to memory of 2640	2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	29
PID 2972 wrote to memory of 2640	2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	29
PID 2972 wrote to memory of 2640	2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	29
PID 2972 wrote to memory of 2640	2972	3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe	29

C:\Users\Admin\AppData\Local\Temp\3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe
"C:\Users\Admin\AppData\Local\Temp\3a36456248b720193225c624ad7b6a725efc6d9970617b812a5973cc2c395360.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\SysDrvYC\devoptisys.exe
  C:\SysDrvYC\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvYC\devoptisys.exe

Filesize
4.1MB

MD5
c5ab2083a68364ce70473ec21cb0d6ad

SHA1
be4b128af267a318d5705a4f12f53880bc648fd3

SHA256
8b7bc8b651a2e67ae7a79f5d29b8bc89282464371a291fccb6948e9101b45efc

SHA512
92697b1db5c3f9e51b06d8e4baa3d25eddeb16c23661330e4d551243be1b4d4c63f13ec3fda02b805705b412a1e523d7a7cdce73dd042f78a7416dd59eb289d8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
fba12bbe5ed91733c5b093eaff252195

SHA1
168de2a3c765e21625b1b0af96b2510c5e6dcfbe

SHA256
9bbfee84e45978d7cea1afec17ee168d8b71d43aabe815715b91db0b270b6342

SHA512
49a43919d05e0e97e1131b72b335fdf001f0472c9a46213869862f45108af34024e80e4a93fff21be9e6d83d6ec189bbdc992d0070d311e6651c461723d375f6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
f357143f87e3adfa67077b621902541a

SHA1
8ef5281d1ac90f31326c7d17e99f21c673b65472

SHA256
10095479d425e9e2172b7147c99b7e6d2e52d9c4c5762b928ddf02adae4238ae

SHA512
701ff939838bb1cbba5cde6db79faa9920531fe9136afad7c34d7fb2e1776723e82061e999424596153b716636b126416ebbbb1c1f0aea80034e6f722c7f0300

Download Submit
C:\VidG3\boddevloc.exe

Filesize
4.1MB

MD5
d18bd6b4a1f6484cc37234cda18c8fa6

SHA1
b5a626f572c43cf87795ae12585eec08f2c09f74

SHA256
f909daf990d1fd8e5c87077037b7dc87dd26479415d1cffe0f42c0f78221a089

SHA512
8ceca1d17e1f26ee4bbaa29c85aed4b1186d4d8c1b7e48dec718db5aad2b66321fe792ff76c73e2f52e87f1c8fed81cb9e34ac731eecf82bfd2d78cc224c3541

Download Submit
C:\VidG3\boddevloc.exe

Filesize
175KB

MD5
45fe14f76839e9486445fd54713736b6

SHA1
bd546833fac1af06f2d752ff8daacb898316a121

SHA256
0415455288f159e32b3190fef979546d56da9fe3cd7a593a07e3275989da3a9d

SHA512
d3c49ad36c5ee3a8cbcda62ad01fc5576c602a3923d42d73a80af4ce6c9a4f4b62646923b11f40d50cd85d83ee3973dda825a51fb1ad84c2c7ecfee6106c8000

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
4.1MB

MD5
c9301d17b7af41b65af1ba1cdf3975b4

SHA1
696fd3d6d4302471aebda0fefe0ad60dd0000bb5

SHA256
5ccd15a85cf7b8635bcac452c25169cafeedafe04f6ebca7f1268f6b3e53c62e

SHA512
81c3cc8d150aa399c07eefdc6322b69fb48236106c7fbe0b9d1376176aa69f7934d2c8dcdd3193120725bcf158aecda0efe8caac836e43414f0833d765390bb4

Download Submit