f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
Size

2.6MB
MD5

5b7afcd55c9ffaa51d37f7689696aba7
SHA1

c3a1ced3c3a574cf959569fd7c353c7ff41704e5
SHA256

f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf
SHA512

50972d2ad3c7359e5cea795c2e6cbfffc6dd3f0ec176e0f86e0098255b07a2a7c92d89857a476b996777ba1b9a7666b70d7d9a9784cf9d81a7e4ee9d272c4d91
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUp6b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe

Executes dropped EXE 2 IoCs

pid	Process
4004	ecxdob.exe
4640	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotD6\\devoptisys.exe"	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7B\\dobaloc.exe"	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe
4004	ecxdob.exe
4004	ecxdob.exe
4640	devoptisys.exe
4640	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 4004	1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe	88
PID 1440 wrote to memory of 4004	1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe	88
PID 1440 wrote to memory of 4004	1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe	88
PID 1440 wrote to memory of 4640	1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe	89
PID 1440 wrote to memory of 4640	1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe	89
PID 1440 wrote to memory of 4640	1440	f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe	89

C:\Users\Admin\AppData\Local\Temp\f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe
"C:\Users\Admin\AppData\Local\Temp\f9af2c3968ac850464f135191de237bd9e05e1401144b861f3a228ea5b5bf2bf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\UserDotD6\devoptisys.exe
  C:\UserDotD6\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint7B\dobaloc.exe

Filesize
2.6MB

MD5
6f7b9f5def61f61fb1e60a66716d56fa

SHA1
5995d67e7a5c8bffe864fc7404f0642db8768215

SHA256
c60c552a1083f25882ad9c70cea929b7d7b20a9509fe4d5bfb926ee5f71b9d8c

SHA512
ef238da5c519159a6874be56d95013c043eaf93b63c8e5ca95c75f0e540b4973e219c1994a63fd7d145bf73d70ab07b857c935ea78914295603d6c6c55339273

Download Submit
C:\Mint7B\dobaloc.exe

Filesize
2.6MB

MD5
721a607b3a72a41cd429093f68965cfa

SHA1
b06d471244f66986a7914b243c66912d889a1d2d

SHA256
7f95cffa9609aabc96d10774268a0634a900404541c8ec4c2cb5999ca1685461

SHA512
6d2b8a77d01ce1006990d82ec9b5f7fdaf30f97a4f0566fef0a8459bb836ec217c13b0c7225065436447a77d5ae09d555501a5cb703d93cb1b6c80713f916841

Download Submit
C:\UserDotD6\devoptisys.exe

Filesize
2.6MB

MD5
a8c380be0a55f1a1e77065f65ab3575e

SHA1
ef26a49e12b5bd6c9db63f7fee4364871255f475

SHA256
6c79ffe75d3e723bc435e3116b2c4de7c528f55c5e0f518e7b15d4c5ab72143d

SHA512
4e6b2d164b8ef5ab4ceff55a0aeda4dad3720d3a05e4db1e9c19ed84ebd3ebaa0fcbca01c8b96ceb2fbdc501e6c16dff8155bc15ec11294d623f83bff6cf2b76

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
7a0e93ccfd6f3cc636b4a5529f18c7e7

SHA1
5e770986d8e9ee14c334a3c08258c623bb0fdc7f

SHA256
f1b376183fde97da5bb8ae1b968f7562fa995bfd91f2a802086bb3c21e081839

SHA512
24219b015cca5dce67dc09cefe3eaa67ddc5d183fb33a3b585bc6705260d349846325d7d787544decc4ec37d13fd174a9788f57c0d9c806b126bbbc138de76bd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
bb0a5063b284d53a7705794420c4a614

SHA1
86198858e0b5a9c9581c0a62a34a9548ee3a5e56

SHA256
9da3fbe3d45b9d02288aae1cbe0fe70a1e94c1a0c9b15c542d7ace532abdad04

SHA512
ab1a24e0c41517564df9d00c7315f75bebd48d5b11029ddf1316f27b1ad2aef299ac8b67eb2416c4a0156668097a719879dd15356335a689337124fbc870d56e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
45dc073c6bfa0c0bb38dea9290b6bf7d

SHA1
90856268b1f0a636ef6e3e7cc5ea1641e7a4163c

SHA256
cd9006f93a15c2ae20e64627f1ee7df5941978387c68576ded0db038f9adf537

SHA512
08e0ae84fab746e679a812dd0a433e7011f25bac3265dbb53ee39254d63c9352af9a8de6715baaab4889e2f8124738cd1d73951f0c26aab73a8ef2e9a84c1491

Download Submit