a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
Size

2.6MB
MD5

0c78f8752b54e17f04b38f0fd76b6e9d
SHA1

61ebea8924e0dece82793998454dff1e1e33b2e1
SHA256

a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592
SHA512

c1e02b8b2613a843dac795f80e27dcbe74d3c14968347dafe8f4f913adb4e74bd05cd524c6a555fbe6ee4734664c94ccfd86a9e4db3fb74fefb01b6c7e3b7121
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUpKb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe

Executes dropped EXE 2 IoCs

pid	Process
2744	locdevopti.exe
2740	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1T\\devdobsys.exe"	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZF\\optialoc.exe"	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
2744	locdevopti.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe
2740	devdobsys.exe
2744	locdevopti.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2744	2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	30
PID 2112 wrote to memory of 2744	2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	30
PID 2112 wrote to memory of 2744	2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	30
PID 2112 wrote to memory of 2744	2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	30
PID 2112 wrote to memory of 2740	2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	31
PID 2112 wrote to memory of 2740	2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	31
PID 2112 wrote to memory of 2740	2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	31
PID 2112 wrote to memory of 2740	2112	a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe	31

C:\Users\Admin\AppData\Local\Temp\a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe
"C:\Users\Admin\AppData\Local\Temp\a68adf4fea103c5f43036b7da7dae4ba8484ad32b7b83266bcf8147817b7b592.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Intelproc1T\devdobsys.exe
  C:\Intelproc1T\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc1T\devdobsys.exe

Filesize
2.6MB

MD5
aa72f9fa3acaa533c410a2bcceb59c6a

SHA1
fa2f0bd7223a1a9d9b7e27e5eac0b0cc73eae10d

SHA256
86140e28a69f52986d8a20475b59ca82092e71130a0e66fc175ea678fb9a7f2f

SHA512
97b6168ae0e09ad5de71abb3af80ffdb9ef31795c2fcb3bdf68d8041f298b79a4e4544ed6ffc0fba535fe90ba5c04fa914ea716f8c0dcec0545f8518287c1e4c

Download Submit
C:\MintZF\optialoc.exe

Filesize
2.6MB

MD5
075e1f9bef15bd3869defe4d70821947

SHA1
acacda9a73457f3efbf3203791b8bc43efc0057a

SHA256
484f35dd31fbc2a7c43ad34a8c6a8841ee9d899b2ae9aac4606af71ff9651df2

SHA512
71130e91a22a8ef5143d516011f312c68b519454fa5f1b955e00fa06b92620c6811354b72cc2d6f7c47f46663ab6c319362a2a5363d0ba68a57fa23b2122644a

Download Submit
C:\MintZF\optialoc.exe

Filesize
731KB

MD5
c3d9e387a692f97225ab9064c49f4766

SHA1
48646a8934cb0f8fa74f796f62dc1a8cd0fd163f

SHA256
c5fd2da2a0331eed7b80d4df252b88c175bf7d7cd7d1a9bac0fe9f9d52e4363e

SHA512
19b555e372ceba545e9b97c7117c0014ee65ef7dbd4d5e462a54c5eee76b4a6ce71d9df8175f96a07aebc86831bc1aef7899b45ef88cee02cbb9d55d1f3c75ae

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
178B

MD5
23f21b0d2460181e885ec3376f9ac251

SHA1
9f00b3094c1bcee0c087c72d9d36ad60fadf090b

SHA256
988b652d5155af2a450dc222268f363c34b975f83d7a1bb2a565fde4a9ac249a

SHA512
c80a6e306334b4fd2fcf6ffe296baec5549036df20ce6ceece50fad43855c5fb659132b7d80916fe787427d195843f754466c0b14dcb4c003b3717890d7cd6a0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
210B

MD5
a515aaa96735ae759d9d09a47216b02d

SHA1
efa4065a07b412e8dd2c92c12d393c8b3bfac52c

SHA256
276bca1b2ef79814277d1e5d0cf5a58377ccdde74cff9804fff1a634ed2eeb03

SHA512
29b343b10d469424c9dd42e5136205a50233650812b9802993509e8167e3162f9119f990f335301cfec025a237c1f3e074cf69f2282cdd0956c0cbcb185ba484

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
8951c55a3c92edbf800a58f8fd70d0f0

SHA1
89d9828de6d9ed82d1e447ab7359fc6f20804018

SHA256
4995ca4ea17e42b414e6fbd11625fd12c6a64884e5198f3f5a5a904b223daba8

SHA512
5ec0f20ea63e0460da6cbf5c78ed4f0a0b5686f182ef852275d4d8bddcd70d1c9181389ceafa3530a15843a0a92581d2d9452cf6c31e9708176438003e25eeda

Download Submit