9e4e7bb662437ebae91ecfd23936ed39872b697c765f25291b9cfe51ccf15718

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 21:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17a8840918a8c0a9b95703c3b83fb820N.exe
Size

2.6MB
MD5

17a8840918a8c0a9b95703c3b83fb820
SHA1

caede3360f1ed9b5b97057f513d467ec79908db1
SHA256

9e4e7bb662437ebae91ecfd23936ed39872b697c765f25291b9cfe51ccf15718
SHA512

95f1ff84e8f4dd4dc06b497baa11f80801de7abdbf5b74ea91fc8e994acb09ddfc3771b07d155b82eec95f9f0cfffa57aa450f2c50eff17b0c5ce921a6628e35
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUpbb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	17a8840918a8c0a9b95703c3b83fb820N.exe

Executes dropped EXE 2 IoCs

pid	Process
4196	locadob.exe
2216	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotV7\\devbodec.exe"	17a8840918a8c0a9b95703c3b83fb820N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAA\\optiaec.exe"	17a8840918a8c0a9b95703c3b83fb820N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3780	17a8840918a8c0a9b95703c3b83fb820N.exe
3780	17a8840918a8c0a9b95703c3b83fb820N.exe
3780	17a8840918a8c0a9b95703c3b83fb820N.exe
3780	17a8840918a8c0a9b95703c3b83fb820N.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe
4196	locadob.exe
4196	locadob.exe
2216	devbodec.exe
2216	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 4196	3780	17a8840918a8c0a9b95703c3b83fb820N.exe	87
PID 3780 wrote to memory of 4196	3780	17a8840918a8c0a9b95703c3b83fb820N.exe	87
PID 3780 wrote to memory of 4196	3780	17a8840918a8c0a9b95703c3b83fb820N.exe	87
PID 3780 wrote to memory of 2216	3780	17a8840918a8c0a9b95703c3b83fb820N.exe	88
PID 3780 wrote to memory of 2216	3780	17a8840918a8c0a9b95703c3b83fb820N.exe	88
PID 3780 wrote to memory of 2216	3780	17a8840918a8c0a9b95703c3b83fb820N.exe	88

C:\Users\Admin\AppData\Local\Temp\17a8840918a8c0a9b95703c3b83fb820N.exe
"C:\Users\Admin\AppData\Local\Temp\17a8840918a8c0a9b95703c3b83fb820N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\UserDotV7\devbodec.exe
  C:\UserDotV7\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAA\optiaec.exe

Filesize
2.6MB

MD5
b4b5dd9d2e05edf192429d1c3921a086

SHA1
db8cccdadd08d4f578539a2618497946c872a94e

SHA256
049a741feb6ba7cd9eff9d2fb1e4593927c11524b655b1b8439988c10124efa9

SHA512
bac294852c365f32a88e435f78ab4ad0c1ac5dc177128eee5e8c6ab48c8dfbe5d4bef3c94257000bcc756bd6983ae5fe6334e79233f7d9cac347ff6eacc365ac

Download Submit
C:\MintAA\optiaec.exe

Filesize
2.6MB

MD5
5882f57dbff91c6bbf77d90a785741b3

SHA1
1ef4cfddf26dc4797b4aa4674c674d130e46e1bf

SHA256
6b360b06a2801b00bbbe2e94f8fd9fda1450c257553d6109d3e2bdab4130927e

SHA512
e689dae44174cf1a22502cff90f2b8ae350d54e2350e5244b353a19ebc377fe9e472b384f19ca8dcbe67fe552ff8c3bd5bb6fb731476c71cea54b88aed910a14

Download Submit
C:\UserDotV7\devbodec.exe

Filesize
2.6MB

MD5
e3fedc31c72e663c21f80afb6af65a7b

SHA1
1665be421f95d5fec9044bf7ff25997de68c5eb1

SHA256
0c57372f02443c1777e28dfcd03cf6754edb79e1e5d414a247fbc9524c8d4af3

SHA512
99acbe8b3d00af1a12abb67bc7aab23035c2373376d3a4dbb36320b490ba124f306f0632b771ea7acdbd1ceda2dfb8780ea26d52d845295fbeb9cd34c26f16a2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
d126931bf8da4ecf2ccc2516ae243d7d

SHA1
40b9a5c7f7f0edd47e16e8801ccd718a6ac9e03c

SHA256
0bdefc9222d5aabe12ebd05f3e3d11292771e1c644e231cdf18dbe9ee38ff01d

SHA512
814b7d63ee3a5ae447f4d4f9dd4fcd89b209d04d266b772233a4c5eebd01506424c477837e3b2654c30f2fccdc84dbd1a83e00f534734ae39e65e17caaf7a6a3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
963c29b0f0497c66510a995f937fdce6

SHA1
a0734fa045ecfbef5f73d0fa57d50e8476cf6f74

SHA256
0d12ea608f49c77df0a7ba99978e33fb11f3638c52f74fd77b29b17020a0e276

SHA512
721e5169fe2f500d9c4d6611f07ad3dd593b6b5d460fb5cf5aa793e8713ff194719907b1126dc2174ecf56758c5a666c191bc974ed1af9c9877154c9baa0d461

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
6e7742c8b4dd93eeb461247170cdc519

SHA1
677a3156dd2ac0cd16142b621d787fcc2a1e8b0c

SHA256
0cf9ff9db9bf78fb218784b872d2e48140d721aae7f6300c5df74f48a64e1cf2

SHA512
2cc8fb6607b5641e7ebd6137a2ebbb43537d8161d42f155ca131f7ef9a4c087a4a5e1960ea87f22b2b0a2565e387bfec3f333017dba84a578615279e1207ae9c

Download Submit