fe352c7e16dea86f5106edbf552b3bd4070e48427534e82238f8d8c7169999c7

Analysis

max time kernel
118s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

281264a9bd98496aad4f9f3d90863f70N.exe
Size

3.4MB
MD5

281264a9bd98496aad4f9f3d90863f70
SHA1

04d5eb7d96a69b148b31fd50ed3d1c4913ac56e9
SHA256

fe352c7e16dea86f5106edbf552b3bd4070e48427534e82238f8d8c7169999c7
SHA512

0ad7d6828ab9a15d0f0ddeaf25cc8671b96ebf28466e9d40df8f2e659b5d2d7192e7baad38e59f3918fe0f0013749a5e159c2d0b7684398a277aebb79e36ccb2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp7bVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	281264a9bd98496aad4f9f3d90863f70N.exe

Executes dropped EXE 2 IoCs

pid	Process
1780	locdevbod.exe
2496	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKO\\devoptiec.exe"	281264a9bd98496aad4f9f3d90863f70N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIS\\dobaec.exe"	281264a9bd98496aad4f9f3d90863f70N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	281264a9bd98496aad4f9f3d90863f70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3432	281264a9bd98496aad4f9f3d90863f70N.exe
3432	281264a9bd98496aad4f9f3d90863f70N.exe
3432	281264a9bd98496aad4f9f3d90863f70N.exe
3432	281264a9bd98496aad4f9f3d90863f70N.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe
1780	locdevbod.exe
1780	locdevbod.exe
2496	devoptiec.exe
2496	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1780	3432	281264a9bd98496aad4f9f3d90863f70N.exe	90
PID 3432 wrote to memory of 1780	3432	281264a9bd98496aad4f9f3d90863f70N.exe	90
PID 3432 wrote to memory of 1780	3432	281264a9bd98496aad4f9f3d90863f70N.exe	90
PID 3432 wrote to memory of 2496	3432	281264a9bd98496aad4f9f3d90863f70N.exe	92
PID 3432 wrote to memory of 2496	3432	281264a9bd98496aad4f9f3d90863f70N.exe	92
PID 3432 wrote to memory of 2496	3432	281264a9bd98496aad4f9f3d90863f70N.exe	92

C:\Users\Admin\AppData\Local\Temp\281264a9bd98496aad4f9f3d90863f70N.exe
"C:\Users\Admin\AppData\Local\Temp\281264a9bd98496aad4f9f3d90863f70N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\IntelprocKO\devoptiec.exe
  C:\IntelprocKO\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocKO\devoptiec.exe

Filesize
9KB

MD5
16a4bb0fc3d5c44be3028068af1ea1ef

SHA1
3525da0805ed7773dfef437f24482b727389e9db

SHA256
cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d

SHA512
b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b

Download Submit
C:\IntelprocKO\devoptiec.exe

Filesize
3.4MB

MD5
40eac05f52bcdfd7785e2dee71116418

SHA1
afabf5cf907050d00a4656801177a0b9edf5b234

SHA256
9adbc0ed01a3a12692582f016f3fc7a3b3b530092a5714787f7e22db724d8ca6

SHA512
6218414a44b6535b4901d22caf0edfabefdc49a8f031b777c0ec397a94fb95eb1c9880e72f183f2f8c5b94e93e4bb95c0e77071d3133e85f83e62487c17dd578

Download Submit
C:\MintIS\dobaec.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\MintIS\dobaec.exe

Filesize
3.4MB

MD5
8af4e26b33a1234c6830c29ec606bcdd

SHA1
ac0cc46e4600e950088d45e8e85988c25a72a465

SHA256
52cbd0734f2f27333ed60e7beaee0130c5b6a9a585ca053f68bffcc6fb850e3d

SHA512
bd59bce4f8d9b77b6683e12b383d2b61750462c832c29fe9265b5f512ecc9ca8c4664a3a62056db72c687b7b464917ea38d854fa065188f013e284921be46e8b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
a34208f6f96ed9c762187e5ba7716bf2

SHA1
da6792f9264ff6c326e6e17fffcb4c5ce2941955

SHA256
3029128fec2068bfc746445ee8d57a630d33b6fa035bddef2e08bef5139e97be

SHA512
cf4634af718eff51c0675df5b72c172453d531eb672573efdc307eabbc5a18b56b27a3ae9ed20539d14b9b958c651aa699cf81e0cdf656077cf37cdcac37828a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
158d8352e255d1ca9a49ff69faadbf10

SHA1
80d9ac37418cc0dfeba5c2191faa9396fea118eb

SHA256
1e8d5bd2966143d945dcc7d3902a90e9d6fb3dabd49727f75dd08a663efc5c15

SHA512
d9d56bfb06dda38e8b318b77f3ab35aa2a2c7b718c866b9377a8cbed2f17116783c276d2af2256dda50f851f2c2d1a8a9fcdf1c1b8c1ccbb23ac191cc0641e99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.4MB

MD5
dcb5f9e4374a3df7f3bf395cec4bf548

SHA1
e03736a92b8b5ce446bec4d8d3db9fd5b5d1a828

SHA256
fc5d687c136337c15dbfef0818df66024d50dd3fb369b580d757cf887dbb9670

SHA512
db3c6fa08bfc701c74bcac2081704882534c44c1f6f8f05a71b5865d24b758ef828afa02f7e425c37a5afffe3022dcdc30dfa4b6e0863f490c34d12d2966c003

Download Submit