38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe
Size

3.6MB
MD5

7e8b9767b76d32cb83c14cb0c5b2ddaa
SHA1

5f973a6d17a06b4959596bf5540efa2278cb82fc
SHA256

38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356
SHA512

c0ff4dcc36ff65ce0d8724eb71dd0a3b70ef7d28017761f3bf023206cb5261e3341b724f689347c2b5166d7511cddce8d7957e8ea6b30f237204e346e27b4818
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpPbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe

Executes dropped EXE 2 IoCs

pid	Process
1156	ecdevdob.exe
3036	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe6P\\devoptisys.exe"	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSG\\boddevec.exe"	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe
756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe
756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe
756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe
1156	ecdevdob.exe
1156	ecdevdob.exe
3036	devoptisys.exe
3036	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1156	756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe	86
PID 756 wrote to memory of 1156	756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe	86
PID 756 wrote to memory of 1156	756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe	86
PID 756 wrote to memory of 3036	756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe	87
PID 756 wrote to memory of 3036	756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe	87
PID 756 wrote to memory of 3036	756	38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe	87

C:\Users\Admin\AppData\Local\Temp\38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe
"C:\Users\Admin\AppData\Local\Temp\38d2b6851189aed4463b754b62f8ea8d5f9ea184aa4db7f67536644efd23d356.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Adobe6P\devoptisys.exe
  C:\Adobe6P\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe6P\devoptisys.exe

Filesize
3.6MB

MD5
999dd4c698231e4f31f6209b104c6989

SHA1
673131911c2ea7beb8f3547ac64d40fa6adeb507

SHA256
4a8d6fb697c293d3ac2e08b7e8f5585e8d41aecc059c352dfc0551d773960e11

SHA512
4202495190d44ed3247a94cc9da272c69089db4e175d6ac7e5b2012db87b9e082813ee65787c4b5d52467eae151640e51a4062f79daf99c345e0b24e68af1b77

Download Submit
C:\MintSG\boddevec.exe

Filesize
876KB

MD5
6a840e1b52431f9a44f37109fca57d2d

SHA1
779e87ab7f7a8c3629069052536ba6cadd4ebdb3

SHA256
f9f9d3bbeb45a2a678f23be9ae51dac78fa3e5ee48638760796385b0282cdcd8

SHA512
512ca1080398646e2c29176c822d245886eb974e0cfe0d19680cd4955b74ff3225ac6aa5e7fa7d2b3d6c03dd110486a90c7963084f0720e2eabb5892886e8098

Download Submit
C:\MintSG\boddevec.exe

Filesize
213KB

MD5
0f3d38c2810f8dc3fbfd70d36b37bd6c

SHA1
57082ab9b0a339fde5e6c127f74a0f32d8c15166

SHA256
2e822b947b2961ed3a904d1be3ab9729b642e4c6461fc54b0b703cce96a1f037

SHA512
3ab2b69324469deb9c8878306ce3a00e485ca9f0fc565a654f87b8574ed5f392366d6e43b7f07925477373a8c84af6a3134951e86714c8cd926d297d400480bc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
44bc8efeb31c404e49fcec91c7d9465f

SHA1
78c00c028f5ab9e5cf55cf1443de518109525529

SHA256
c8f186fb38000b07e94ca2997d3ad3e2aa622582390cec7e458b7023402e6f95

SHA512
ea7b07bfee8939fcd0ea79ba862cddd0f05505c00dc7f7f570d8a741d9e656e331b38ad84c3684493e12e19e564930a96e16fbd72cacaf34a375220535c5162e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
9250378e079418ff19691ff4e8089140

SHA1
4185c6b8907c816443aee61a8b390b3cd01514b9

SHA256
2004031033da669dbf15b54c7565ed14fee39bd507c8358fbdb5154132eed977

SHA512
db09f37964354d495ae3d542b9ebd9057851a359cb1fd7ab5ba69fa4f7757328d83104a768b575b446b3a85d670d6cbdb55f7f3771640cfe41d81ff7f07360d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.6MB

MD5
f4ab953ef622cd8b3e3179114a86c9b2

SHA1
bc378cbba4ed0649a2b0eaaba4ed83fe3653b52d

SHA256
393a4fbe0948270074c4f3394327f004a65443ad4943fc611acbd628081fc98e

SHA512
e0be549bf3b6f19406fbc6db70993df1b274bc72b52c58987b8aca61755d5900323744ed7bbd3a7f4be0dff4a9b6d6b4cf36b1019e649c5d1ef33f5d8e03c965

Download Submit