956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
Size

3.2MB
MD5

96dc40b005b55467c16f2329b9f97bda
SHA1

15ddbf6cb790e76bc1bfdcff78ff129ab75f2ada
SHA256

956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc
SHA512

44daa0ae4c7e46a16401816cd8d3af7f2612c5c936f811f5d26740714310b46b04b278898019e35759707748462187df1ac2c79872d15abc58356a6fdb36ff39
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpSbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe

Executes dropped EXE 2 IoCs

pid	Process
1208	locabod.exe
1072	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSW\\devoptiec.exe"	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint1P\\dobxloc.exe"	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe
1208	locabod.exe
1208	locabod.exe
1072	devoptiec.exe
1072	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 1208	4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	85
PID 4356 wrote to memory of 1208	4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	85
PID 4356 wrote to memory of 1208	4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	85
PID 4356 wrote to memory of 1072	4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	86
PID 4356 wrote to memory of 1072	4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	86
PID 4356 wrote to memory of 1072	4356	956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe	86

C:\Users\Admin\AppData\Local\Temp\956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe
"C:\Users\Admin\AppData\Local\Temp\956e1b4d63a759dfb7ffb036c6f95bbc337bd09250166349f906e3b8fe68d1fc.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\FilesSW\devoptiec.exe
  C:\FilesSW\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesSW\devoptiec.exe

Filesize
3.2MB

MD5
d1673d5abdb26be8139d400072d69bb4

SHA1
4f8089d1f201cd3d598652f54ad59a35bab3aadc

SHA256
7963fd3265ee71399ffd5be33e6c3166c56c9f9b984d9884d57b35ce6fd930d4

SHA512
a1a5d6df3641534c061c90de482f29d046721bbf8fffda8f01a6e225ac823a4b0ba6c81ea2ba5a15f4f7f94129b8d6e22964d4616ec4674bdd1827ff335fb9f3

Download Submit
C:\Mint1P\dobxloc.exe

Filesize
789KB

MD5
f77a58b964ea6c2081b79631987254a4

SHA1
b6b4ca47c75dca4f63636ca384d8c3a6d68b3588

SHA256
38137b81d3df01faf84840855f402e986b6f26774da2f4d573d2c11a1667dcd3

SHA512
3cb9e7191bde67584ca4227defc6f4fa89b11f1fa37c5d05d02923997ebdbf2c19c2979186baa89a17a006a176ce0990828bb969a2ec9cb136abb97df9f24075

Download Submit
C:\Mint1P\dobxloc.exe

Filesize
3.2MB

MD5
b0e93533c759899cf134ea48bfc89e00

SHA1
36043bac1b6897870e77c93b3ff27a0861d9a538

SHA256
443faca32170695685ad307b106e89ce3ce527313280dc4771f7da59f67cb506

SHA512
80396d3ac3994cb3a24fffa8dcaba8a55b5680029693f824297c7172b3d947590103f32ab4c916ed29c81e5b4abfc0facf0b41bd3e5f3491d6371c692b44e51d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
b587bae54bdc57e25bac41bc36002a4d

SHA1
73d3e7b5a42a833842d4d4ce523e4dda8e8c7351

SHA256
b24072800561e95887d8324a55520285cb7c604947c667ba45e9c03ad61d1bfd

SHA512
2a5d574aaf7ea39d5c5531e6b21e7010b7c53f7c1d65576615b1056a2c604db38702e6bbc3f57a52789cfcbf8fb9aa6b2b392bddc1699c5e30131874ec76c6aa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
658595c63053f5feb84cb862b621369e

SHA1
7927fc8277c10807e70d6b9cccba94e30b4903b1

SHA256
5cb94cb047bdcde3dd62590fa57ee2ddfceacc98dca36c0bcd8ff6d1681c81a7

SHA512
a44620da47e3ffa901e61c5afafc2f696549b6022f3bf9ba834d35990399c6b2cae3f4bb72e803ffb4371ae2cec40211c319bf04ea76aa58e179ed34f25d7ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.2MB

MD5
4ef6690a6d694da563f9532e55a09857

SHA1
a90ac59675eb5e323b0d0740ed0c651c8bf3a1dd

SHA256
c522ec6b1e791a0d4029d9b13c7cb7b5b66986cb345f85dcaf658952a10b2c49

SHA512
1899ec3025e119efa9b8a2b284762348186bdf7a6637fa86b6f47764ab74870f1207b59e25d87abdbc5acad44cab0f827a5503ee54162f4697ea685f3acf5f00

Download Submit