db151a1e2834e88938eecd6986efae314b497137d976d81a216673298fe06100

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

263d293e9ad948b14593f529d9f193f0N.exe
Size

3.2MB
MD5

263d293e9ad948b14593f529d9f193f0
SHA1

32f62e6829fb5806934211670c6037171c1f8af0
SHA256

db151a1e2834e88938eecd6986efae314b497137d976d81a216673298fe06100
SHA512

08326a83c40030a73a90a98b8b48ecfc1eecc99a35e37339acd30ac92e0cf5f22d44d3c8b3a9c9319d38375c50eaa3128c43466a51a869b4d98dd343a5d06794
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpwbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	263d293e9ad948b14593f529d9f193f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1020	ecdevopti.exe
2216	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBL\\devoptisys.exe"	263d293e9ad948b14593f529d9f193f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZOI\\optidevloc.exe"	263d293e9ad948b14593f529d9f193f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	263d293e9ad948b14593f529d9f193f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	263d293e9ad948b14593f529d9f193f0N.exe
1208	263d293e9ad948b14593f529d9f193f0N.exe
1208	263d293e9ad948b14593f529d9f193f0N.exe
1208	263d293e9ad948b14593f529d9f193f0N.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe
1020	ecdevopti.exe
1020	ecdevopti.exe
2216	devoptisys.exe
2216	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1020	1208	263d293e9ad948b14593f529d9f193f0N.exe	90
PID 1208 wrote to memory of 1020	1208	263d293e9ad948b14593f529d9f193f0N.exe	90
PID 1208 wrote to memory of 1020	1208	263d293e9ad948b14593f529d9f193f0N.exe	90
PID 1208 wrote to memory of 2216	1208	263d293e9ad948b14593f529d9f193f0N.exe	91
PID 1208 wrote to memory of 2216	1208	263d293e9ad948b14593f529d9f193f0N.exe	91
PID 1208 wrote to memory of 2216	1208	263d293e9ad948b14593f529d9f193f0N.exe	91

C:\Users\Admin\AppData\Local\Temp\263d293e9ad948b14593f529d9f193f0N.exe
"C:\Users\Admin\AppData\Local\Temp\263d293e9ad948b14593f529d9f193f0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- C:\UserDotBL\devoptisys.exe
  C:\UserDotBL\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZOI\optidevloc.exe

Filesize
3.2MB

MD5
9e613c8f61b925a96a8750fcd03e3858

SHA1
97ed44e6062c07a438da081a5e51ff8c5f2d3527

SHA256
b004007556454026377b50fb811ac905b8eb5393734d15f138a37a300d0a339f

SHA512
151fecd687bf2bc51301c9a7bfa24968e9784da1cd68e04d35389b210512a950fc39c6b69d779c695b79a28d81b828ffda44d5cfc76165a576bb6907f373d31e

Download Submit
C:\LabZOI\optidevloc.exe

Filesize
25KB

MD5
c9221e0eb3a16dce428ff8c482aa2dff

SHA1
793cc75bc04db78d6d21cce028ebc5202ab1f199

SHA256
89c1ad531a116c26ad2fba26da6aa3bfb742ddc6af38f6f62b23e30e4064dc82

SHA512
47ee868b2819e8889fa54c5e846d987eb2e67d90d25d969bde5b4f55cf75e4b12765acc7077bab313d9e96935a1d554300bfac8ef2ebe9d36f2bedcf78e5ec12

Download Submit
C:\UserDotBL\devoptisys.exe

Filesize
80KB

MD5
7d1bb0cc0e3f7ecb4f15fca47bc032fa

SHA1
8c08b21ac5a8982475580e68a964746ada68750a

SHA256
3d70791224421ef8ad82bb34a17e31c86f51048fb812f13651f883e5b691247d

SHA512
39ccd3478ec8ed1edb688eb1a229c22fda2a51fe1bce727de6762d12f391bb7ed48c3b2a2d0dc1c214ad3eb7a92af0c03ec4cee2079219bd898e86dd2eebc4ae

Download Submit
C:\UserDotBL\devoptisys.exe

Filesize
3.2MB

MD5
f5a310591599597878ea928e207810ca

SHA1
15818ebe01a1abbdbe0b6406757d003a6d478b35

SHA256
bb4723e006382229c6242ffc0f8ceece97f9e36ceed07bfabff14def77d06ccd

SHA512
40e30a81ad39693a9b2dd6e7283e1293d3127c15c05671a1161c378a72dc42575dea47d04f96c16dc6c36678afa4997d0f23b33a4eb5c2afd6e6554878a04c6a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
210B

MD5
3eeed1641ef743ad242539cce3690ebf

SHA1
231e67850b3f2e05ceb58563519103c0e85cc5fe

SHA256
6fe8a86b6d30b87fb401ec632b5bdb746d8d9208770f0b68aeb9862ccc810dcd

SHA512
5bef9737dad0693cd8c43918d9b5b55349d98bc0408239910b2e8cd56b33c25aad0fd09d7eca584d8752f214fbccdacc11170c98b7fab58eea8b381ab7263755

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
178B

MD5
d104f3c8f9595e4baa8fc69d79da14f3

SHA1
75869c4bcfd80ba0f7a6b63bf3adc8c0505ec1ec

SHA256
014e9ea96149b0aaa0caa8a71a41a7d8ba63f1406e1d27e229ad91abd6fa6bfc

SHA512
7ff1cb3b224bec21aa5541b5aa4c73372a9c32c83ad48c4118adb1753ecae43110f028f4db7c7ca07bf4e2751739c7b70b36024eecb48121ce596ec4b2228e17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.2MB

MD5
cabcb9776406be384e6aea1c6daa6ce6

SHA1
38d39e2b9f14e8474feceb6ec52fba1d4a0c86b7

SHA256
98e291ab17c77b3c4150aa13279626babc2a258f68d877f08c6888935e7f9fb9

SHA512
1316011d7307b86f8b1fe3c92cd9d5cf6057d41d0f35589e9441888d2997b9464d7d792e0b54551800eefaddb62084407b94ce8908247239e2122e5bfc6e5963

Download Submit