9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe
Size

3.6MB
MD5

03390cf9cadc85befa783a3786098284
SHA1

eac13ab6959dfaef0152ac5686d8fa95aa08f028
SHA256

9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8
SHA512

18c735bd19eb4e68f69f7c85675f5162cd5a70701193262cc9844c0aae278428eb24990113671d2a1b7a48660cb6a6cd9e986e778c9b4eecb35dec81c52692fa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8:sxX7QnxrloE5dpUpybVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe

Executes dropped EXE 2 IoCs

pid	Process
1796	sysdevdob.exe
1180	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUA\\devdobsys.exe"	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCT\\optidevsys.exe"	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe
2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe
2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe
2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe
1796	sysdevdob.exe
1796	sysdevdob.exe
1180	devdobsys.exe
1180	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1796	2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe	94
PID 2804 wrote to memory of 1796	2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe	94
PID 2804 wrote to memory of 1796	2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe	94
PID 2804 wrote to memory of 1180	2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe	95
PID 2804 wrote to memory of 1180	2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe	95
PID 2804 wrote to memory of 1180	2804	9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe	95

C:\Users\Admin\AppData\Local\Temp\9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe
"C:\Users\Admin\AppData\Local\Temp\9e4af675ec745f53f37d63c984f74864a968fb3af8577f886838c01e72cc1bf8.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\SysDrvUA\devdobsys.exe
  C:\SysDrvUA\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxCT\optidevsys.exe

Filesize
3.6MB

MD5
7c5cf7db132919e7ed3b2db2ab261e4a

SHA1
b9dce34a6e228c8828c064f32ede96a41a7365a0

SHA256
2e336ee5534245a67cb29ec18c45485ec439be154540c90a52dd66a9ee8c32ca

SHA512
95d96370343de3fefedc7f95dc695aa9561b2835c8a186fe6fa270615672c0cfa10a134e681801c98314278484a37c235a3debefd8be647c69b0f2feb91940ed

Download Submit
C:\GalaxCT\optidevsys.exe

Filesize
471KB

MD5
7371f0c86367680bc4c21d68f710f434

SHA1
52a843006e3f86c23f2169fd8da27ea6d833b291

SHA256
9de5b303c5a50799de70dc6a9cbc1617a896b8249c3ce66859078c21b83dc356

SHA512
c5f33e0d089ca059b18ffd566938903218e51346630cccc4d510f8ea93bc899b4069a59283d3c20e866b22a101582669786299673b8237dfefaa7d3973e331e6

Download Submit
C:\SysDrvUA\devdobsys.exe

Filesize
3.6MB

MD5
7f4dd1f3125459cc549cf447adf7a9ca

SHA1
3bdb8175f8b2843dc739cfbdab29a393a0c8e565

SHA256
b7a99f30a3141f28ebae009595b15f906aa06e4c67b2154113d1d297954ddbb9

SHA512
90d0de817ad568ddbf8c0a8e0cb33a954cf9af4cfe2f11e7ebbcba5b73d72915ec6ce02605cd122ec6fb7d2e01dba242f40a1605901c419ffcf67e840978d85e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
a39e43016a0fb7e70c23cade108cd94d

SHA1
626d7c9e6f83d631cfee3381a69dd2e9855bb802

SHA256
3e05f24dccc8092aeec3e615a32bd48106cc2a71b2b97123ea7c3d46d94adf80

SHA512
cfad3e5f336dade5550ef327c8f21b8c6c8468c42da8718ab8e38ad56dcaa235685fa5c75632c1137349260096976a125d62d91e5e38b368ab38759f79d1a1a8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
653f7dbff37a9eae5d872f927ac16e4d

SHA1
0cbd8358cdb322752f22bb1deeaeefb5b06113a4

SHA256
86791d52ce3f5957126d147e790162bccbdd7ba3b0bcadba060c83da87c09975

SHA512
e3534a428a86484a9cedbcafb757b2421257964423125e35c9a19ae886be591de777018828b4c65742717f99ed467e42e68faf6288164826e56b94a7adbb303d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.6MB

MD5
b8d221f4d30277f93117762df32dd897

SHA1
f5cc3372d1561cff77e95371ce50b1b7b6e1ca19

SHA256
6336259d8706499606e4d36573a24b3c70b34cac33b41573034b38425cb5fa8b

SHA512
b988ea503891a1c60c3cbdd2237fd701b2a6464c3d2e85db463bf2e3e4d670f57fb4b51b4261eee6f477262172794d94fb4aae3cfe894166405b9f32aa02aa99

Download Submit