2d567eedd61ea3c6ee37c5fc5b2bfeb3fbd4ded7c380de33bc7c99e07348db81

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

300320dafac1d658c57ae1a24dd70c80N.exe
Size

2.6MB
MD5

300320dafac1d658c57ae1a24dd70c80
SHA1

5d82859bdca1e3faf2a06f727cce888f7ceac98d
SHA256

2d567eedd61ea3c6ee37c5fc5b2bfeb3fbd4ded7c380de33bc7c99e07348db81
SHA512

10ee32f58ca7b7a81428446d2b8a5d6d376e5fde9fc0490997bdf5fb0a292f67b83568749e1d0f3692d3ccc7ac882d796a8ba2fac123cbdb9afdbae62840fd43
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUpdb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	300320dafac1d658c57ae1a24dd70c80N.exe

Executes dropped EXE 2 IoCs

pid	Process
5052	locaopti.exe
2836	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZA\\devdobsys.exe"	300320dafac1d658c57ae1a24dd70c80N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHX\\optidevec.exe"	300320dafac1d658c57ae1a24dd70c80N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	300320dafac1d658c57ae1a24dd70c80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	300320dafac1d658c57ae1a24dd70c80N.exe
212	300320dafac1d658c57ae1a24dd70c80N.exe
212	300320dafac1d658c57ae1a24dd70c80N.exe
212	300320dafac1d658c57ae1a24dd70c80N.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe
5052	locaopti.exe
5052	locaopti.exe
2836	devdobsys.exe
2836	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 5052	212	300320dafac1d658c57ae1a24dd70c80N.exe	86
PID 212 wrote to memory of 5052	212	300320dafac1d658c57ae1a24dd70c80N.exe	86
PID 212 wrote to memory of 5052	212	300320dafac1d658c57ae1a24dd70c80N.exe	86
PID 212 wrote to memory of 2836	212	300320dafac1d658c57ae1a24dd70c80N.exe	87
PID 212 wrote to memory of 2836	212	300320dafac1d658c57ae1a24dd70c80N.exe	87
PID 212 wrote to memory of 2836	212	300320dafac1d658c57ae1a24dd70c80N.exe	87

C:\Users\Admin\AppData\Local\Temp\300320dafac1d658c57ae1a24dd70c80N.exe
"C:\Users\Admin\AppData\Local\Temp\300320dafac1d658c57ae1a24dd70c80N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\AdobeZA\devdobsys.exe
  C:\AdobeZA\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZA\devdobsys.exe

Filesize
2.6MB

MD5
c7310a70ace0789a1c760e6ac5f8ee80

SHA1
73f0939b045dabb52abf11e82240ed49ba6028ae

SHA256
9fb40a4a4fe7eff512eac309c5fd89dd7e046d5f879527bf49312f01ac8452ad

SHA512
72fe0a0ffac174862cbba2da3034978e646b965de233d2ddf16745aeb33f1854787813cb7b742989ff617f9f562e9363210480eb5e168d458e79f7332d9b9ae5

Download Submit
C:\LabZHX\optidevec.exe

Filesize
377KB

MD5
c9f79534ebce6d0854e5a245cb91b30e

SHA1
eaccf8119ce4f4379da1a85de8b00755e3f8daf2

SHA256
36e68446e4e507002d8916e84ad74948fe4fd1320880104c73c467b582c46679

SHA512
93d53757dbc212006111904fdafcd0e1b41b13a49b0495fa3c5fcce1d3ddb226b4e028ec24b5eae8c945154a177963704f9904bd65f2652adfd241d3150a0c98

Download Submit
C:\LabZHX\optidevec.exe

Filesize
2.6MB

MD5
821f9b162d0adb2c950d80c7354a90ce

SHA1
e37c8f1570a05221fe9993152a156972bfad2270

SHA256
1bfbb49f60146d95d1ff4631dbab4b99cf60394b3ee0e495e5090744711dbc75

SHA512
dee102d0841bcbd3f49dfb01a4a708124202c16100bb91faf6bb6d0a231294ff157cad864636a0254ecd3db7bb9cf426144dfa4f917807c75b21e4c54a31fb0f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
045e5eca1ac28e068f013bf736b7cb90

SHA1
8081a2e2bd28ea4d3cf3905e757c4a4b025e06c2

SHA256
ac8f0f4d14fdb8a2dea3d1a3fdf6fdc1aa004fbe5a6c8c9abf1f70b95eb660aa

SHA512
29d3f00e88b9b7730ec00ddaaf510d368f511b18261519b02ac2a5d0429096814d71ac4dd75bb8bb4e57b7bab8c1ad27332b42129d9e30f046ed760c68e8c5c8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
0592e467bf68a1cd3dc8d215184d68d6

SHA1
7023a4f504778749b6fabc05029e6153158ff89b

SHA256
ac20be36280fd6840591d9fdf39f7bbf5ecdb014c0f6751ee7e20c96a08fec96

SHA512
3586356e140dd8beacb9b1e447bd66813541a9da798c9677c4e272fc692971fec8a56db24b2018046d478c6f7badd9d05cf461e069cf20ac850ae47958626868

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
66d528278fb4d61d830e023aa7b3c041

SHA1
0ff4723fbdbb4614ac92ab3f49bda1c816f2e0a6

SHA256
d8dd34745b17a778d89311de80c5b452c29c658b0ef47c5df2f834a0e214aa9f

SHA512
f378b8c0ae2a5ca160924fd6d451b15a80a21ff0e56ddefdd8a7b04ffc96cebce11641793830e93661b27bb072cf44836a2015bf91bb746b0ca9c02c835f87ca

Download Submit