3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49

General

Target

3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
Size

3.2MB
MD5

4162ddf5275af7929f36bb4f04a80ede
SHA1

20b1c07822775fd6523d2b876d940d76aed79b5f
SHA256

3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49
SHA512

dfab67b475476723478145be8f3faa7907004b173e798e46d74448e1ca0fad8885695942ab1f059de26abcff15ec7d2e730779ec085e972b30d66320a0c70d90
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe

Executes dropped EXE 2 IoCs

Processes:

ecdevdob.exedevoptisys.exe

pid process

1636 ecdevdob.exe
1956 devoptisys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1636	ecdevdob.exe
1956	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWJ\\devoptisys.exe"	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax9X\\dobasys.exe"	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exeecdevdob.exedevoptisys.exe

pid	process
380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe
1636	ecdevdob.exe
1636	ecdevdob.exe
1956	devoptisys.exe
1956	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe

description	pid	process	target process
PID 380 wrote to memory of 1636	380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe	ecdevdob.exe
PID 380 wrote to memory of 1636	380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe	ecdevdob.exe
PID 380 wrote to memory of 1636	380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe	ecdevdob.exe
PID 380 wrote to memory of 1956	380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe	devoptisys.exe
PID 380 wrote to memory of 1956	380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe	devoptisys.exe
PID 380 wrote to memory of 1956	380	3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe	devoptisys.exe

C:\Users\Admin\AppData\Local\Temp\3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
"C:\Users\Admin\AppData\Local\Temp\3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\IntelprocWJ\devoptisys.exe
C:\IntelprocWJ\devoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax9X\dobasys.exe

Filesize
739KB

MD5
cbc099f1ae0ca22c51e447583e04649d

SHA1
65227807d842097e58dc6826052770616b9017fd

SHA256
9ae4039c17fb9f8707fd9b1dfc18115571563e47978d5290e360356cbc1879e3

SHA512
acb8c18958f5e22ea1c311d5b4a985b87c412e7c0516840a7967b6e36f7ac5a2e109a5fa0e5cc89064ef5fa9454cf0684b6df1361ba8e706bb4c101e00db2e03

Download Submit
C:\Galax9X\dobasys.exe

Filesize
1.1MB

MD5
5c78bac343c9880c7813a5c17ec6ead0

SHA1
ae5cbf05bebd6ecd1c90442c5d0b31fba50c9209

SHA256
1791314bae7b6919903d52351fd5207d1f61c2bb368a69bdb9abc5dbcb198410

SHA512
750450f321215dbafabb98278374e35a771b6d8cf3f9283efa1c02cd1be202df283a446d7c8688b5901ec18293d6a8b70b2616d7364b2a6c1efd8c01f10f65f4

Download Submit
C:\IntelprocWJ\devoptisys.exe

Filesize
3.2MB

MD5
aab58776c1bb702178a5eb63362d26a4

SHA1
6526e35bb2a761bcb09721c775fa463306ddf29d

SHA256
7d57f0f20514675190d75dbea4f6b012e3988b56685eeead17f75bd5cc44571e

SHA512
71cbee5f5202f0a77086287b2b8414fea15158cf802655d1283af277d9ad54fb52b3954ef583d0de82b861eb4b471953bca8aa97e9ebbf96d522f146a295af57

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
32be78b14f81cf466cf902fda0793f17

SHA1
78d23ba0392672e9ae1f8b7f9bf055a93acf12f5

SHA256
2f9094157a389b5594e44511248646f5f8fef305ec8733d74edeea8ab2d79928

SHA512
2ccd863c6df4f16df154f0d92a504cd8dde09689062efc65ede58ab3822d87dfab6452c5044d6ff27c0d3fb687539bec8a49349fe9b841fecb26b70cbeff2b54

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
d66c6d469221663584256e76684786a0

SHA1
3835d17a30ae288af5d89ec8c998efb6bb4c6c6f

SHA256
85d8b2f67dd44422fd8392231378a85a35357a1025792c9024514041decd992d

SHA512
ae7b451324383576558f02c16a6f5706120ef3e99f4157b738ec47af302ca016a0429fdc92cb83df5c1cc5e517243c3d09bd6a187af95af5c76438b5a33af2e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.2MB

MD5
234cec31ee696b1c8128e31cdcff4996

SHA1
61ec649caea87beb129be5be05fabfd968524f44

SHA256
d87cee5db6cc7905b4357c6736e721b6958f825cd80e217ace11e9c94eae3ab9

SHA512
9745b3e2e042c2cf3bada1d8a3a2390ed5305d59a7b150a4408a53b090c6bff1aa6edb115348153d6be8012e647cea1d8f9d90436cc14497ae69a474b168c7e0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads