c9370ac8d38b8fd85dbcf683d245394fc75985fc7870a592a6eac642915cadbd

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2df562a385b42af852c7e4b1308ea70N.exe
Size

3.0MB
MD5

a2df562a385b42af852c7e4b1308ea70
SHA1

4e40a514ddb28212b5cfb79d6659be584b34b900
SHA256

c9370ac8d38b8fd85dbcf683d245394fc75985fc7870a592a6eac642915cadbd
SHA512

312a83c23105147c59acab509b400106febcd1dcdb5c90d46488fd752842374dae1a04f2b627ec23bbbd9211fe84cddcb3b33863ff44e7d9b612deb2558726be
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNX:sxX7QnxrloE5dpUpUbVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	a2df562a385b42af852c7e4b1308ea70N.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	locadob.exe
2744	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	a2df562a385b42af852c7e4b1308ea70N.exe
2400	a2df562a385b42af852c7e4b1308ea70N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBW\\devbodec.exe"	a2df562a385b42af852c7e4b1308ea70N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid80\\optidevsys.exe"	a2df562a385b42af852c7e4b1308ea70N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2df562a385b42af852c7e4b1308ea70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	a2df562a385b42af852c7e4b1308ea70N.exe
2400	a2df562a385b42af852c7e4b1308ea70N.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe
2804	locadob.exe
2744	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2804	2400	a2df562a385b42af852c7e4b1308ea70N.exe	30
PID 2400 wrote to memory of 2804	2400	a2df562a385b42af852c7e4b1308ea70N.exe	30
PID 2400 wrote to memory of 2804	2400	a2df562a385b42af852c7e4b1308ea70N.exe	30
PID 2400 wrote to memory of 2804	2400	a2df562a385b42af852c7e4b1308ea70N.exe	30
PID 2400 wrote to memory of 2744	2400	a2df562a385b42af852c7e4b1308ea70N.exe	31
PID 2400 wrote to memory of 2744	2400	a2df562a385b42af852c7e4b1308ea70N.exe	31
PID 2400 wrote to memory of 2744	2400	a2df562a385b42af852c7e4b1308ea70N.exe	31
PID 2400 wrote to memory of 2744	2400	a2df562a385b42af852c7e4b1308ea70N.exe	31

C:\Users\Admin\AppData\Local\Temp\a2df562a385b42af852c7e4b1308ea70N.exe
"C:\Users\Admin\AppData\Local\Temp\a2df562a385b42af852c7e4b1308ea70N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\UserDotBW\devbodec.exe
  C:\UserDotBW\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotBW\devbodec.exe

Filesize
3.0MB

MD5
019b11b886272a8ce5840b5d6a4c8bb8

SHA1
081c9252dcf8287b6d3a5b199228102dcaef8f45

SHA256
6d7746caae40ff5c88bd368a9861ca200deca236a9002bb9de613420aeeed48a

SHA512
e0f6d2d09aad39011e8566f22201f56fef6dd7fdb7a7252bc98319ea37b1e704a91429b02c38047be4d9ebdd33c1fc86863dafcd50ab747ebf8a523799eb175c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
42372bc8e2e8f6df61f63465c62c6f16

SHA1
80664dab740d81173e50d24e1846939ecb801ab4

SHA256
47e4717c272d606b5686b6c5e0454101788eb1375c6797c2868b31cf69cc9117

SHA512
ba2844e6143dfe4d150c9beba8911ad187ac9b413f98282cc6d3bfc0b95898a0232274fc9a15f0564097b3c33ca015abafe8a61d0cfdf0f448096e03f0844759

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
2013e1b49f0d3886e35295c9d1565227

SHA1
8d0ae71b05e7d20c92434db5f6e177a5aca7beff

SHA256
86abc6acdfd7b72a35f62ebadbab0e09082537cfa40e6a9830b397ed5448f5b6

SHA512
a1fa88bc9c3de5810703522fc41363265948ead94d4067f9b4bde4ccf9b4dc28266bcc7171a4552516948039a1cc9943d7de2dfa1d97618493d6346c8b362951

Download Submit
C:\Vid80\optidevsys.exe

Filesize
3.0MB

MD5
fed7e5d2f013218c1d20286f45f9c9a4

SHA1
405c0c07cd332cc1a4150d031bcc3723e09d1b54

SHA256
ce39db6c8944e2eb8084a9ef35ce459edcad076c80ebb8cd7485a7d56aef4ed8

SHA512
ab3912131161c7058e43fcc9ffa43965a1662942ea5f974f6bef87465e4c31ab61629b1b04aa70a486c5979f719f387735c1a0a9cf02aeb2b57a2e1556b986c4

Download Submit
C:\Vid80\optidevsys.exe

Filesize
3.0MB

MD5
ea5e48763d46bdc3f0bc68345e2f38fa

SHA1
e9ffa6f5fc1767a50ba48aa192f21119ef767ac4

SHA256
f95d1afe15f7c2447ef9763516e9a077be3d832f1bc7d45f90bb76005d9eb93e

SHA512
e5537f10cb0d5f2857184249209db87e53c5231e5f26dbfc0d73570eaaf5348e302762252db44a68f43ef6befde98a157df4a09c6dea22cd0a8042467c0b1eff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.0MB

MD5
b2d4a5707fe1a2cf939b939b94b17baa

SHA1
5bf47f2e805c2a6809973b7d5613f4fe51c854c5

SHA256
2cd3de9e2021616d70e9d9c2bd466ef415bfd265fd1f81fef53adf933eb39cb8

SHA512
c85baec732c653ddc8526b0e009b287f3d03c60cedc72df2bef52c676f00a5be984e303284c048e18d7ab65830ded6065b1af59c5f7a8383a1734d69bb9ea440

Download Submit