bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe
Size

2.6MB
MD5

2308f1f6393556fff2a14c264b542385
SHA1

460dfa5e29858ce0ed47202f34ee95327a979dff
SHA256

bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67
SHA512

53c5f527f678ce4f20d2f7e13a1d99eb85990f16b09775b27a5b71cd57389ad7225bccd23900ca4e98be67b66e40ce7f70697b3117f7cf9a3d959ad714ea3061
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpeb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe

Executes dropped EXE 2 IoCs

pid	Process
2400	sysdevdob.exe
4052	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTY\\devoptiec.exe"	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNP\\dobdevsys.exe"	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe
2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe
2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe
2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe
2400	sysdevdob.exe
2400	sysdevdob.exe
4052	devoptiec.exe
4052	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2400	2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe	91
PID 2064 wrote to memory of 2400	2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe	91
PID 2064 wrote to memory of 2400	2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe	91
PID 2064 wrote to memory of 4052	2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe	92
PID 2064 wrote to memory of 4052	2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe	92
PID 2064 wrote to memory of 4052	2064	bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe	92

C:\Users\Admin\AppData\Local\Temp\bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe
"C:\Users\Admin\AppData\Local\Temp\bc45577184d07e3a876244ba4c7587d717ba6f2c1084832bd5b2799d74a69b67.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\FilesTY\devoptiec.exe
  C:\FilesTY\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesTY\devoptiec.exe

Filesize
2.6MB

MD5
3acddf00761d5d4fb9981ec0519bb3f1

SHA1
e85fdd3cfc2fefa8b133d13cd295903222ddc1c2

SHA256
bf26c02520a230003e19c9f328e9e78ca55445ecb6820e431297f0fb8476ed37

SHA512
ce0b80767b934c00112d6ca60c2d40ed3907eabf528f1b179684611440ace784878351cb4e62e25ae50fd7ee579a3e4c639ab10a24b8d219d24a5fd9201e6117

Download Submit
C:\LabZNP\dobdevsys.exe

Filesize
2.6MB

MD5
15080c35201e7f2cb2813e7a71dac2db

SHA1
f357237547802fa96aac78c4634de0bcc55c27ac

SHA256
6bc6c0a3334401ae2c5326dc273ae8e293bbd43b64ef47d013c359380b2bf1c4

SHA512
7542f34a5835fb838e78e6a19e83df4c96eb8eac857ebcc05cea2a71745dc6472c70a4eed9e217c1e916c364cfa58921e742b813bf8a90730bf6e5140aa6e42e

Download Submit
C:\LabZNP\dobdevsys.exe

Filesize
2.6MB

MD5
05196ba5bdbed270edd7cee31caa2363

SHA1
36b9cecaf781ec2b89b4149432e81e25967a6a82

SHA256
f746464700e0346bf34248164e1d7ecf259b39b2ec152d2a98572b765202d13f

SHA512
a454ecff8560c863d326b5e2aa638129a492b828ed7c3924dd6974afbaa827bfc29df540475aa113f51341211fa183ce1e4d55d1fa6c75203bb7ebe5687bb41d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
d3f4be0dd38d0040efcabbf8b87616f7

SHA1
30ccd9da4d7a998952f146760cfa78aa2c145991

SHA256
b364c19708fc9d69e0ab2b9640def49c679eb0cb5d88b0ebcc14f7bfb16eec61

SHA512
f5e88fde6896f4d672f02a6157619aaed63eac7602529ab53f9fb4d7871d832b929fc171327df50cac298f30c792d0c7bb683a77927583d0acae5628d711b8e6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
9d489dceb0af3f648bc7a55dd5f6af7d

SHA1
a50e908b303f37596e468a7e329a19bd6f1d28f4

SHA256
69a76b88ec312fe2bbb2b10b7743b59840111e66643be671c090ca2e669b8fd9

SHA512
53d9608921ebda9e00b2bce848bae66387cd81a52e5036288367ba5bcbc4eb469d90a6378a59f5c448bc777e1056e5c48d03d83e60404a476d57e63fb3721a9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
877d88414d3361426647860ebe3ca5be

SHA1
1ebedf40aada29e4d72713da3f4c90c1a40e39a7

SHA256
d8fb959887d563ff5c03773678b3090eb0526bb79ebd92e04029d05919490fa1

SHA512
a19485b7200129ab7668d0ba2d081ee6b81b7252349e4717b50d5cb79c1b36a4232b9929ac2c30b5440ae16cdcdd019863258d0893f0b574900e443db1d462ac

Download Submit