cb627ea97186743dacdc4a8fae438058c3e3ccb871817c16a2e5f97b1b270158

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dc7676d7bd931a817897c2dde7ee930N.exe
Size

2.6MB
MD5

3dc7676d7bd931a817897c2dde7ee930
SHA1

c0e0cf70045bf78fbc93b664d0bb41b88e28f45c
SHA256

cb627ea97186743dacdc4a8fae438058c3e3ccb871817c16a2e5f97b1b270158
SHA512

77e2498add59815c05e39120f9f379c1ba3a2059eb2191d40956b22c75e7241b899c750b0218d1ef212e4c17ae82675780a2a80cd4bfecdf27963d897f4c385c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUp9b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	3dc7676d7bd931a817897c2dde7ee930N.exe

Executes dropped EXE 2 IoCs

pid	Process
2744	locdevopti.exe
2860	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	3dc7676d7bd931a817897c2dde7ee930N.exe
1812	3dc7676d7bd931a817897c2dde7ee930N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUS\\devoptiec.exe"	3dc7676d7bd931a817897c2dde7ee930N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGS\\optixec.exe"	3dc7676d7bd931a817897c2dde7ee930N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1812	3dc7676d7bd931a817897c2dde7ee930N.exe
1812	3dc7676d7bd931a817897c2dde7ee930N.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe
2744	locdevopti.exe
2860	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2744	1812	3dc7676d7bd931a817897c2dde7ee930N.exe	30
PID 1812 wrote to memory of 2744	1812	3dc7676d7bd931a817897c2dde7ee930N.exe	30
PID 1812 wrote to memory of 2744	1812	3dc7676d7bd931a817897c2dde7ee930N.exe	30
PID 1812 wrote to memory of 2744	1812	3dc7676d7bd931a817897c2dde7ee930N.exe	30
PID 1812 wrote to memory of 2860	1812	3dc7676d7bd931a817897c2dde7ee930N.exe	31
PID 1812 wrote to memory of 2860	1812	3dc7676d7bd931a817897c2dde7ee930N.exe	31
PID 1812 wrote to memory of 2860	1812	3dc7676d7bd931a817897c2dde7ee930N.exe	31
PID 1812 wrote to memory of 2860	1812	3dc7676d7bd931a817897c2dde7ee930N.exe	31

C:\Users\Admin\AppData\Local\Temp\3dc7676d7bd931a817897c2dde7ee930N.exe
"C:\Users\Admin\AppData\Local\Temp\3dc7676d7bd931a817897c2dde7ee930N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\UserDotUS\devoptiec.exe
  C:\UserDotUS\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBGS\optixec.exe

Filesize
7KB

MD5
84c3a9ef71c6c32cc10faa7a3122fe8d

SHA1
44094cadec949c065d4321a4cb7bb4c11cd999f9

SHA256
de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b

SHA512
f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a

Download Submit
C:\KaVBGS\optixec.exe

Filesize
2.6MB

MD5
bcbf1fa5f376a16ffbed6b39c6896c89

SHA1
dc7197bb56fd21d21a013029f3dc4475c36481b5

SHA256
6d2f8089704776988299dc7c282db350b03a7cd7769067d11174effcd4d29bef

SHA512
af61b9da6f5dc6e0f1634bd15a5d4b268bc0ada88bde51290d961c1ca74a042b91fcef376e55153ae07ad283cc98752efe07b7bf36ffddfce938d47b968a9af0

Download Submit
C:\UserDotUS\devoptiec.exe

Filesize
8KB

MD5
1c31992317278cbfbb062cd4732b9020

SHA1
b2953bc21d0bbd03b25aba4e7b3d56cc63708195

SHA256
0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0

SHA512
a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
06f5256b3934942034d9c9221139c2e8

SHA1
fc574ef9ca43830ae66ca7068012e5beb8619e47

SHA256
5ec4f7c9f9177f7957689258334cea1b6e0925b819af72a17993b85ce78ed843

SHA512
5dd773555cfcb014b7ff4253d6c6da234bb72490718f96ce105e12b60b981dfe5fd25ecdf74ff68380c469b945cafad4ec98acf92737d51328b44ac9c10a7efe

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
8ce2c083bedfa8ae1003a2d4a932c345

SHA1
fc01be8a4db45af4cd0a05be89173b770efc8ce4

SHA256
cf01ade593fea95d1d9b6930406e7cde67d9c2270a6fd6713d460578e96d85d6

SHA512
60313bfb4c62d7ce30718cd0893614c313877a0e9b1a58563c2c6a9c138c05a11c2afbe7c6afe160cb046e39cf0858b52e08bb79e728282c4704e2d0be28dbe9

Download Submit
\UserDotUS\devoptiec.exe

Filesize
2.6MB

MD5
e78bbe9fe5730d9051340d9f8ed2616e

SHA1
234bfe6273ed58489971bd0f7050f132c63fdcf4

SHA256
f0d7d2092c04f841a7ad67c3d7948ddb1ac06bf290e3ab35756082b46d6ad47f

SHA512
b596b47552227c53f8bae5887bd1a7a6e9eb9016a6caf3826defa03fc540fc0fa7e72adaf5ed982c42e20332cd09126ca3b2c2efa4da9c77bc9bae3749d965ee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
a1dc3cac87b2d39950b456c7226f8866

SHA1
5b8794d1bfd4559b6192a62008e2667c2c19ccb8

SHA256
5ede3f2917a3f5aee6c02ba42a468217d4a70aca86fb2a213d365b6ecb60e1b7

SHA512
427102865ecb56dc85b5b5ae20a304e59746f657bfe2a56f612526ba4697bff3e9dbb8a0e7288adf970fca6f74a3b8e07abf702c5a0a94390c0a13ed6cda31a9

Download Submit