c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
Size

2.6MB
MD5

7b85aff2eabe47a3af5ecabbafd173d7
SHA1

ea0e78441c5cb5968b424d77aeb7c07dca43e4d9
SHA256

c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a
SHA512

5e58548bde67e8fb786c76c87e8b32f23db14300b4c8e746ad387e7e7f764ffd79197d46ddecf570ad4c75542aee70c8baff9438a1f903f47d2c819d00e7b13f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUpRb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe

Executes dropped EXE 2 IoCs

pid	Process
2168	ecxopti.exe
2824	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8J\\boddevloc.exe"	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvLX\\devoptisys.exe"	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe
2168	ecxopti.exe
2824	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2168	2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	30
PID 2368 wrote to memory of 2168	2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	30
PID 2368 wrote to memory of 2168	2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	30
PID 2368 wrote to memory of 2168	2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	30
PID 2368 wrote to memory of 2824	2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	31
PID 2368 wrote to memory of 2824	2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	31
PID 2368 wrote to memory of 2824	2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	31
PID 2368 wrote to memory of 2824	2368	c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe	31

C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe
"C:\Users\Admin\AppData\Local\Temp\c0191c5e81c1630f559fe85f9089b7aefef05d38b7a220ca7c8a665aa19e8e2a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- C:\SysDrvLX\devoptisys.exe
  C:\SysDrvLX\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint8J\boddevloc.exe

Filesize
2.6MB

MD5
35c19a676d20627ee2991f89253fe154

SHA1
fbe86f15816a4f2a1d1eb2de11c8f323620d4441

SHA256
3a50991056b7719c4569190bccf5ef92715512176e68ec464f040168e55ebbd2

SHA512
d40cf42c495f49d25d86708e44c0b54a42b7aba37730a49a4422cd943f6600e17d15e12a5b20e0e68f0327116578f96e22680aa8a56f705d054362e4d0f99fa7

Download Submit
C:\Mint8J\boddevloc.exe

Filesize
303KB

MD5
27fa4bdceea3629952986eb7b916f150

SHA1
521368a648bc7df3ef1e96204ce54c69f0a18b24

SHA256
8d569cf61c3fb3705ac5098b925528b52de8535a3dd96c3ea38763ddd4857f78

SHA512
cc7ff1578926aed2ab285875205ca55d5e24ae36df2c091fdb62693a626757ab0a83078403cb00a918b5c90dd1a7b2954e82d210ff217cde379f00d3a2cd49c1

Download Submit
C:\SysDrvLX\devoptisys.exe

Filesize
65KB

MD5
d58e75dec58b0b30d5f6a564b3dc23e0

SHA1
4a9a39a559823566faf88706593999e8379cb819

SHA256
c8e0196d78f084b9f29d58319b532b59746e2ab432aab8bcce8570dbdb347d05

SHA512
c6076b935473b11dc9771ec8f6307a0b4e8d14503cdc97e9c449905844e3e197f9503e5f64e8d28cc02a3c28a3a1357505825eb3accd54930789e9dba072b676

Download Submit
C:\SysDrvLX\devoptisys.exe

Filesize
2.6MB

MD5
619d6132951664f8e26e852ea16226ae

SHA1
adfeb89d7ed6072f75c6046713c9b774f7333605

SHA256
927040333daf2d4c44db528aec5632ea8f0c8365ef8e94a50f4a82cc4e1e26d5

SHA512
1c8ac09d9dbbb9b23b0646f7fe1e79323272521e3924c40d7e38b50a2a7f1efd2e9ec21d3a19f49544ce5f64373f1e05b957a4d909d5dddb1ccb32d3379f77a3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
fdb34838e63504762721bfdc5d55c974

SHA1
7aa199a26a94df8f6f3e45456295bd041f28bb96

SHA256
9dabc0c2c8bf317afe75448cfb064df145e3b3272fca9ec1462f7bf3a6b7cb37

SHA512
faa81b62e0257be15b17494adb48c32e8039b5d568eb6ce2b2709a55cbe98066694e467ddd17def6540df99973af1ed02cd871a899019e588158d5b35b3005a5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
888b92022e48af4b444dd999cc44dbc9

SHA1
3cc7f8d28fdd5086bbb01b6617c44bd357ad4807

SHA256
dbf22c0cb53c28e07b6ad6fcede295491e6898dfead98c5001ce2fcdf69676ef

SHA512
04dcb575bdc8d7b85c2863be0a659799e139cbe6c082f5e5b9a00dd01dc4f652d6179342d8474bedd1879ce05daa78fba7a1765573c2896a50f76e10ebbcd728

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
2.6MB

MD5
375dbe7d0751ba5ca5de4bd533a7d0ee

SHA1
aaadcf449c8282f25abd722ac73dbad4aac29ee4

SHA256
6b93053d5685825a1f9e06d3daa49e57ddff638f452a111abb32fbc2cea3f9d5

SHA512
73e8e7693045f4d10e1d680b6883668c906c5336c342bb12eeda28bc0b16aab807099855f3e6ab5eb07a0dc32c7b8d063b11e60075e2ad55fc1594f8f2fc3cf0

Download Submit