9738ef03ce2bfc407586066e252e39a680e1094b6af49f23fd67a945b3bfd408

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

714f42f8883edee5fb8024725326e6f0N.exe
Size

3.1MB
MD5

714f42f8883edee5fb8024725326e6f0
SHA1

3f34bcf888acdca5f71bb3dc911ab9670425981b
SHA256

9738ef03ce2bfc407586066e252e39a680e1094b6af49f23fd67a945b3bfd408
SHA512

476e8e8e4568d67d9c422cbc3bc3040548dcd7d46b51e88650b2d714ad626a444f0edebc74ca6c74c911c987aa77c03fa36f9cff965dc0b1d6e24dcfd5730218
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSqz8:sxX7QnxrloE5dpUp0bVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	714f42f8883edee5fb8024725326e6f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3164	locdevopti.exe
1744	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeC8\\devdobec.exe"	714f42f8883edee5fb8024725326e6f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZO9\\optidevloc.exe"	714f42f8883edee5fb8024725326e6f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	714f42f8883edee5fb8024725326e6f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4736	714f42f8883edee5fb8024725326e6f0N.exe
4736	714f42f8883edee5fb8024725326e6f0N.exe
4736	714f42f8883edee5fb8024725326e6f0N.exe
4736	714f42f8883edee5fb8024725326e6f0N.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe
3164	locdevopti.exe
3164	locdevopti.exe
1744	devdobec.exe
1744	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3164	4736	714f42f8883edee5fb8024725326e6f0N.exe	86
PID 4736 wrote to memory of 3164	4736	714f42f8883edee5fb8024725326e6f0N.exe	86
PID 4736 wrote to memory of 3164	4736	714f42f8883edee5fb8024725326e6f0N.exe	86
PID 4736 wrote to memory of 1744	4736	714f42f8883edee5fb8024725326e6f0N.exe	87
PID 4736 wrote to memory of 1744	4736	714f42f8883edee5fb8024725326e6f0N.exe	87
PID 4736 wrote to memory of 1744	4736	714f42f8883edee5fb8024725326e6f0N.exe	87

C:\Users\Admin\AppData\Local\Temp\714f42f8883edee5fb8024725326e6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\714f42f8883edee5fb8024725326e6f0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\AdobeC8\devdobec.exe
  C:\AdobeC8\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeC8\devdobec.exe

Filesize
8KB

MD5
640f7b2ac26336229373f2ecd8f1e3a8

SHA1
8cfce73dd133747809bae24c696a802d971ad6df

SHA256
66baea018715e78994053487d660febeba43540f4d76ae24735f7587954117d3

SHA512
ef4e20d859152927a79e4664f7e94555cb4816cfc7746d897db81ec06b07015e8e8d2d096446d27e9cdc3935f8a9e520a00b2f9582f31ffd83a9c36f0ca33267

Download Submit
C:\AdobeC8\devdobec.exe

Filesize
3.1MB

MD5
fedb0780dca9b43b452fd9290f2c877f

SHA1
9b47fb2c56fa8d365713939d9629f52022d50034

SHA256
c08d12f466a135f880a108064de9e7b69604961f5300c271da27d2e200f2f421

SHA512
cfc10a57dc29fbe3842215e43df165dfcf75911f2ccab87277411a727e36b0c85e590e3bd91837751c7c963bca67453169de43ab85bd23bb98e7d23bc59ba70d

Download Submit
C:\LabZO9\optidevloc.exe

Filesize
3.1MB

MD5
46bcbe5d1c80af67a0eb4ea241bc1e49

SHA1
dbbdf9d46521055a9587b8e0d6bd04a336afd1f4

SHA256
e0912ff728ab97905580a81e11c1f2a17e1e59b95bdb2407ce217ce2846fff2d

SHA512
13091ede4f9caf6e5e16bf96b06108189cc7ded1ca4aaa723d063d3d97392232bde294d1618724865ca4077fc3cf2c1af8dba98b94eaa6a61a6a2a514df33af7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
c136b24c9581402a4a71c1fcd703a094

SHA1
3cbc475114ab5b5d3bb251718af6f4572479411d

SHA256
c088c8b0af231181c8510344c8e9b76e37ebb3d0d02d7fa5afcc5582d22fb1e1

SHA512
ab3a55970ecb204a74048e52901b2a2e17776f93986d519bbbcfa3f3fa9c1d4df639ea3e4e9923c24892e87b364c1d7fc86bc0f0f2caf1053dd7fd483ad90fe6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
990b37d892a862925751b1da18ebd4ea

SHA1
82f1f22c0288d32eb841ac67cd1d41c09fc0442f

SHA256
e5934874e65c3e697af01e0271c2b20678b143dedb33d14cacc0293457a7fd14

SHA512
b1acdd03c6dd138ad704dd5a111361410706051cc2dfbdcce8869a7023900f751d97af3aaa4a2bffd4d87eefbd6a1c0bb54e2a30ffabb3471df3fbcb3e8019cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.1MB

MD5
048347809f7bd2c60d13abc92d78eb32

SHA1
1be26e289b66786b248736cb462b7f892f8c3565

SHA256
07cbcab9b41bd7b35d195f1adde2cffbd6774295c718c4d9ff39736805b81e1c

SHA512
6d9f085b09ada7da87f4642311a1beb4a5d0a3309de0a946bd11562f7fffe79a4c69fcaa73438e4b141e6c710ae7e3dd75fcc5be179b0d93a2f0e168a99f36bf

Download Submit