17d734017eaf64219118de0e64197f86874856476ce59bb451f7dc6f1bec3625

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 17:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e82387b49d44264cfd7db3bf471d8b20N.exe
Size

2.6MB
MD5

e82387b49d44264cfd7db3bf471d8b20
SHA1

ea313021c10c044f498917e1b1857c8c6bf33dd7
SHA256

17d734017eaf64219118de0e64197f86874856476ce59bb451f7dc6f1bec3625
SHA512

6ad5079b5248a4ec0d5795926a7600159a100ab904063484e10458e75c434b55c6a605522ef8617fe7efca41d8ff088f671ab489b0bad3e58febfac49022f889
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpQb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	e82387b49d44264cfd7db3bf471d8b20N.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	locdevbod.exe
1884	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	e82387b49d44264cfd7db3bf471d8b20N.exe
1964	e82387b49d44264cfd7db3bf471d8b20N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1D\\devoptiec.exe"	e82387b49d44264cfd7db3bf471d8b20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMO\\boddevloc.exe"	e82387b49d44264cfd7db3bf471d8b20N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e82387b49d44264cfd7db3bf471d8b20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	e82387b49d44264cfd7db3bf471d8b20N.exe
1964	e82387b49d44264cfd7db3bf471d8b20N.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe
2288	locdevbod.exe
1884	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2288	1964	e82387b49d44264cfd7db3bf471d8b20N.exe	30
PID 1964 wrote to memory of 2288	1964	e82387b49d44264cfd7db3bf471d8b20N.exe	30
PID 1964 wrote to memory of 2288	1964	e82387b49d44264cfd7db3bf471d8b20N.exe	30
PID 1964 wrote to memory of 2288	1964	e82387b49d44264cfd7db3bf471d8b20N.exe	30
PID 1964 wrote to memory of 1884	1964	e82387b49d44264cfd7db3bf471d8b20N.exe	31
PID 1964 wrote to memory of 1884	1964	e82387b49d44264cfd7db3bf471d8b20N.exe	31
PID 1964 wrote to memory of 1884	1964	e82387b49d44264cfd7db3bf471d8b20N.exe	31
PID 1964 wrote to memory of 1884	1964	e82387b49d44264cfd7db3bf471d8b20N.exe	31

C:\Users\Admin\AppData\Local\Temp\e82387b49d44264cfd7db3bf471d8b20N.exe
"C:\Users\Admin\AppData\Local\Temp\e82387b49d44264cfd7db3bf471d8b20N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\UserDot1D\devoptiec.exe
  C:\UserDot1D\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZMO\boddevloc.exe

Filesize
2.6MB

MD5
56b32ef1d9f0de7b9dc3afbd1af056ad

SHA1
e6d70f0ff206d4c7120769eee2a4af378d0727c1

SHA256
39995eeaddaeb035eb020209d1673f0f1ffb47888dfecc86f06f6865478775b0

SHA512
5585ef3dc1817390a393f757215b85fa9b2158a965209a312b991d8df18ea7b91d5a2da03a25f40cc92c1b8cdae69b6179d2736f0119ea613512b481b77da722

Download Submit
C:\LabZMO\boddevloc.exe

Filesize
2.6MB

MD5
7d52b3622a8bc69e3a6e6bccd1e8c665

SHA1
ff5e3e6806a01ef3c9f5d47330b5ec75e163e489

SHA256
8bcac8a90ba0c2d2a8b19fd6dab3ed9236a76c6d5e3e5d9c67c502edfe8831f5

SHA512
1790833c7f56b1c3947587d7241fec5a0d0f866e3de1d440de09039c0eb39650a5088036ff73930d787b5d2a997a145df0a11e12b71477d02c33b4955a9da53c

Download Submit
C:\UserDot1D\devoptiec.exe

Filesize
2.6MB

MD5
c0a262d87facd9301b40f5a2b2397917

SHA1
bee8ae486116d1f5e382e831f371a5238de6ee1f

SHA256
4cd0af4bdc64fa6d63e0cb0be55f34d4b0c8fcb33010155aebe2f43d95306c99

SHA512
9a0cd00366ab7135f0002c67dd5282d0f7e051484c6b4a0e2da06519129c1531222dd9ee35dcd35fd9d5412698e594e286265b00cc607a06e8b873c99dac0be4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
6aed2c6d681adc322724f6057c389cab

SHA1
778fc77d715917ee13f4e717e8efcb7545382b84

SHA256
21eb3c011d2f8f86e61c46bc1332b11e9d1a0a7503f103b5f25c956e0d8b9248

SHA512
fe3cae5898a946526a322bbae60c18ef1fc1596eaaad28a449282ea74cd83cb85ff2a4214ad1bf75549ae0812dc6c57ad0a8a6c2294ad4f295baf9768511073a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
01ca2471b99b339569d8638f3e211f7c

SHA1
8ceb28d4983824de84f3daaf4d59a443826fb934

SHA256
44c01600470f75e1ee763497565946a8e51cb1b3c51b3ee56a9f0eeb9123687a

SHA512
1cbc0d7c7bbd6f5c523496318b9066b68559a815831b4aedab5ecb89a832b4d999b6bc5ceb83740cca987fe15ba453b7e3fd1a3a4d519ddd446d19728ee1a95b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
9064f09bc632599f9c290783c056ec40

SHA1
cb46561588e264ba2a05290e202dfa859d906506

SHA256
c223f0b87699e70c967e56212d0f9f7a4d98901b3d2ce2af86f64ede90e1ab8f

SHA512
f39dc5242ea933f1ca412ffcad7bfde7241ceb444351d7aac3f6e6162a4048ec19de10f490ae2615cee5d114d26aa467d9c8bdb681eb382ff858a20047964da9

Download Submit