2199e122d3eff394111adb572dcefb2fc6c4170cd0af0c2aaa856080a92ccadf

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222418bd07881e783f49ad027e0951e0N.exe
Size

3.6MB
MD5

222418bd07881e783f49ad027e0951e0
SHA1

a533a7fa718958884e6b382d7b48bff84d7a4cad
SHA256

2199e122d3eff394111adb572dcefb2fc6c4170cd0af0c2aaa856080a92ccadf
SHA512

e7c07d9816d3cfcd198186f08cbe3f97f5083beecfb983dbc996b019bd50c0d9d67ca090311c6f8f1a362845941c4f980cde19e6fc4d505fb6d84b45d96f1880
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSqz8:sxX7QnxrloE5dpUpCbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	222418bd07881e783f49ad027e0951e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	locdevopti.exe
2008	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1408	222418bd07881e783f49ad027e0951e0N.exe
1408	222418bd07881e783f49ad027e0951e0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2Y\\xdobsys.exe"	222418bd07881e783f49ad027e0951e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintF6\\optidevec.exe"	222418bd07881e783f49ad027e0951e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	222418bd07881e783f49ad027e0951e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	222418bd07881e783f49ad027e0951e0N.exe
1408	222418bd07881e783f49ad027e0951e0N.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe
2488	locdevopti.exe
2008	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2488	1408	222418bd07881e783f49ad027e0951e0N.exe	31
PID 1408 wrote to memory of 2488	1408	222418bd07881e783f49ad027e0951e0N.exe	31
PID 1408 wrote to memory of 2488	1408	222418bd07881e783f49ad027e0951e0N.exe	31
PID 1408 wrote to memory of 2488	1408	222418bd07881e783f49ad027e0951e0N.exe	31
PID 1408 wrote to memory of 2008	1408	222418bd07881e783f49ad027e0951e0N.exe	32
PID 1408 wrote to memory of 2008	1408	222418bd07881e783f49ad027e0951e0N.exe	32
PID 1408 wrote to memory of 2008	1408	222418bd07881e783f49ad027e0951e0N.exe	32
PID 1408 wrote to memory of 2008	1408	222418bd07881e783f49ad027e0951e0N.exe	32

C:\Users\Admin\AppData\Local\Temp\222418bd07881e783f49ad027e0951e0N.exe
"C:\Users\Admin\AppData\Local\Temp\222418bd07881e783f49ad027e0951e0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2488
- C:\Files2Y\xdobsys.exe
  C:\Files2Y\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files2Y\xdobsys.exe

Filesize
3.6MB

MD5
39b2974d006cd5de8d55eec28b9f02d0

SHA1
78c5ce302da3d7bf0ce848cd99b3ceeee48b9179

SHA256
b6a555c9e6c3513ea6db07e4a49f13e986014b93721bd867268e0514d9d87139

SHA512
1d531529aa9b593ad67dd20769b08bcd86d225ed2985fe33c08f0e36200ace4bd4b7a7296fbc896a9e6d04fc1038c703133a56dfa6ad3c14321d9837a0739b04

Download Submit
C:\MintF6\optidevec.exe

Filesize
3.6MB

MD5
0304b8104f391c54c149dd6b8d9b7b8f

SHA1
9e289deaefd4f4f275f8e9bc2288097ba8599a8e

SHA256
7a7b3c80f53ed271856bfbb77d0d26a10f8db461cb2d6c69e94ecd796782a9bb

SHA512
270101805950554f26a42b82817f129ecb8ff23b1423bd1d2b51589c21903f5884306077566ea5e9ef9e6d04e5221969ac6df9dffaffa379fd11d2eca772129b

Download Submit
C:\MintF6\optidevec.exe

Filesize
3.6MB

MD5
7edbc6dbead151794a4eb8d048db4215

SHA1
f13e7a2235757159e883193b0c4744c037c7d573

SHA256
7f64def4ef71c1ad3cae4d2d9595f21593b9f6133894fa1b8559e642bb9e952b

SHA512
06ceacbd38058674cb9273ba1909f86686636feba913745834859d92c4f1435d4c7f18db6accd76720d3e235305f4f069441cf41ca77da7243282800c52f6919

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
9741998773d7fbbf7882138abb18fda2

SHA1
37815684ada0aac070be352f1ffcf9090a43947f

SHA256
0d4dd368a07798a084690ff9c24efb90feec054ccf00616c51e5c6920ab0d9f5

SHA512
b07b4180640fbcc615a14fcdc7c195df812816522eddfb6becf97a98c4a1c07f2363a0d3d23d75c3b32f44d7530999168c0410b3aaa9ddb95e8f669b17e19721

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
f2036cfd05d23044e28c041cc723a993

SHA1
510820aa1ce6e8d5be5f06e684f9ddae68cc0bf9

SHA256
c527a2287f87265c0e58ed072d998157ef5b18d6899f5884c113f5c2637650f1

SHA512
c68ea08e582aeab85c8d61bae35301c230f4c29f77410c72965d6322aebb7a2f5c3cc993bab390f25d4fa31bb7173085b70033af86d877a354ad1e08d9e6d249

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.6MB

MD5
1592d6e4ac0c7a2f073851f99c29be66

SHA1
7977849e958cd804221679659335caabbb26be59

SHA256
0ff7d6d98f33efd1c8e0ef58d5313237d7e39c015b8cc798f4d9daf40b3bb0e9

SHA512
c906465da14d0e491f0cfe1826aa689676a6e45bfc7e9fad4a0cf8cc0781aba80d310938baadfe152669a53e4fff852000da17fc2590b38a353d18706a3bb3e9

Download Submit