3a2751531804c6a9506569a90a8abeb3f0901b40b9bd66494fea135df8cefeba

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 11:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

005c8eecb10f6067072a3076b25c40f0N.exe
Size

2.6MB
MD5

005c8eecb10f6067072a3076b25c40f0
SHA1

d0e3aa65b7e10d5bc8886457a0a5d535e96c5289
SHA256

3a2751531804c6a9506569a90a8abeb3f0901b40b9bd66494fea135df8cefeba
SHA512

03c76d936b7e66a13a917cfa8a62a68ec75d657f0a0ac4df6869651d22304ea6ebb36a2957890cfa3deca153c802f4b04c026427e8c20e7372908b4f94ce2bdb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	005c8eecb10f6067072a3076b25c40f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	ecdevopti.exe
2636	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
592	005c8eecb10f6067072a3076b25c40f0N.exe
592	005c8eecb10f6067072a3076b25c40f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvE9\\devoptisys.exe"	005c8eecb10f6067072a3076b25c40f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFS\\optialoc.exe"	005c8eecb10f6067072a3076b25c40f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	005c8eecb10f6067072a3076b25c40f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
592	005c8eecb10f6067072a3076b25c40f0N.exe
592	005c8eecb10f6067072a3076b25c40f0N.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe
2556	ecdevopti.exe
2636	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2556	592	005c8eecb10f6067072a3076b25c40f0N.exe	29
PID 592 wrote to memory of 2556	592	005c8eecb10f6067072a3076b25c40f0N.exe	29
PID 592 wrote to memory of 2556	592	005c8eecb10f6067072a3076b25c40f0N.exe	29
PID 592 wrote to memory of 2556	592	005c8eecb10f6067072a3076b25c40f0N.exe	29
PID 592 wrote to memory of 2636	592	005c8eecb10f6067072a3076b25c40f0N.exe	30
PID 592 wrote to memory of 2636	592	005c8eecb10f6067072a3076b25c40f0N.exe	30
PID 592 wrote to memory of 2636	592	005c8eecb10f6067072a3076b25c40f0N.exe	30
PID 592 wrote to memory of 2636	592	005c8eecb10f6067072a3076b25c40f0N.exe	30

C:\Users\Admin\AppData\Local\Temp\005c8eecb10f6067072a3076b25c40f0N.exe
"C:\Users\Admin\AppData\Local\Temp\005c8eecb10f6067072a3076b25c40f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\SysDrvE9\devoptisys.exe
  C:\SysDrvE9\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxFS\optialoc.exe

Filesize
2.6MB

MD5
24f3fb162ddec25885389bd1a5c0b2fa

SHA1
ffbfe964822911f5f3036fbe3a7969abb6d9d24d

SHA256
afb1a23385c1a16ec8dfb709bb7fec422087b63f4ec2c4027fccee8bc56e07e9

SHA512
b9203231278009e7d8de6161b8817a5fe8531d9011b978b74f3f00d165402783985081e160bcf1adfc9f47287388deded59a8be29afa50d164211dad117e7842

Download Submit
C:\GalaxFS\optialoc.exe

Filesize
2.6MB

MD5
9061dcad0e2b4adc35cc041800af6236

SHA1
fe97ceed494dbcff497cceabd5b8bcb544a96b26

SHA256
1b7d1ee109ef3539a0ef3647254f1fae6a8c24c301f18acf341e8ee4bc1e00c6

SHA512
59164a3433e01f25fdf44d0177c894129aac4a5ccfa92db9e23aca9f9453c416c993aa9b4bddd64a279cfad297c0a151f964f592d98954de234cbb7232bbab53

Download Submit
C:\SysDrvE9\devoptisys.exe

Filesize
2.6MB

MD5
03c60a8cadc74446b0fca1cfaf3c9ac8

SHA1
f6469eb072698adf6fc08f20578613f33b6ad247

SHA256
09a6a9ee9a68e1e50be8a2ae3a0d2a630aeffca01ae2d687c7d666c283b01035

SHA512
d6a6fa4f15b11c939789fdc172c561b3782dd2e14a6005bb203bac283911a728478c8fcd6dfeff1183a96354ebf48bbdebf2a52942e9775d58c456d5abec7729

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
2e443019fb724c5b640913158ddaf3ea

SHA1
ee714da401d5341cd93990010f04fecd20eff6fd

SHA256
08473db1b9d641b955b200d1afba1f12c218e703bf62e3b57359a4cbb57faa64

SHA512
54277ca8bc982d02bd3ed86dd38275190c69887fee5d15ba91978c17feeb84113ca0a6fee79d9b233b9b0406a2a1338f3fe073796e7ce281f90e43ac0100f25a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
240e15a22e88e3399ae48851b1142605

SHA1
a2f5294d39a549f5dc60d0265f54e827aa62ae8e

SHA256
46691f9d2f2067dd40c479264ff83713f562be98d2faeb0fdaba17b48e55005b

SHA512
8df13aa57d5ecc5e30b370dfeaa5de61dc83c5b391ecb350eb5ad2b63754590cf98525b251a28b506d35a3d4f117bfcc2aced65f51c1cb9e91c92f37351b01e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
cf75852a60ad06290957c6e912fdd0d9

SHA1
069c74f026998c702353bf06b4f6bd7937dd754e

SHA256
077e8ea13e2df0952ea1522456719fd5cbf877a48139b6a2c2783bd959d35b11

SHA512
50ec46c8e6f2285de247ad8f9bf8d95797493745eb7d13fec5320d4d9c023801ce553548e2c7efbd9e215a99ab176f2251eee9210c158d66d89db3d340fc534d

Download Submit