742c574da40e41ecf3bf65e4210294806d317bca2701e3ad4f6e1b8a9ceeb98a

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a267553b2ed86fe91884285ad7f9e720N.exe
Size

2.6MB
MD5

a267553b2ed86fe91884285ad7f9e720
SHA1

bdeac1f3a341e0a8d0e3f16505601e225e888208
SHA256

742c574da40e41ecf3bf65e4210294806d317bca2701e3ad4f6e1b8a9ceeb98a
SHA512

cc0ea74c8b81f8da33c22a40368a2fe9bf503c62a78091219e5d3200e034836d5520334a5aebbef0872f1cb989c0fa11f9588b5804d6ff3db0c09ea55328a925
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpOb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	a267553b2ed86fe91884285ad7f9e720N.exe

Executes dropped EXE 2 IoCs

pid	Process
4472	locabod.exe
920	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSW\\devoptiec.exe"	a267553b2ed86fe91884285ad7f9e720N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint1P\\dobxloc.exe"	a267553b2ed86fe91884285ad7f9e720N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a267553b2ed86fe91884285ad7f9e720N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5068	a267553b2ed86fe91884285ad7f9e720N.exe
5068	a267553b2ed86fe91884285ad7f9e720N.exe
5068	a267553b2ed86fe91884285ad7f9e720N.exe
5068	a267553b2ed86fe91884285ad7f9e720N.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe
4472	locabod.exe
4472	locabod.exe
920	devoptiec.exe
920	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4472	5068	a267553b2ed86fe91884285ad7f9e720N.exe	87
PID 5068 wrote to memory of 4472	5068	a267553b2ed86fe91884285ad7f9e720N.exe	87
PID 5068 wrote to memory of 4472	5068	a267553b2ed86fe91884285ad7f9e720N.exe	87
PID 5068 wrote to memory of 920	5068	a267553b2ed86fe91884285ad7f9e720N.exe	90
PID 5068 wrote to memory of 920	5068	a267553b2ed86fe91884285ad7f9e720N.exe	90
PID 5068 wrote to memory of 920	5068	a267553b2ed86fe91884285ad7f9e720N.exe	90

C:\Users\Admin\AppData\Local\Temp\a267553b2ed86fe91884285ad7f9e720N.exe
"C:\Users\Admin\AppData\Local\Temp\a267553b2ed86fe91884285ad7f9e720N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4472
- C:\FilesSW\devoptiec.exe
  C:\FilesSW\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesSW\devoptiec.exe

Filesize
2.6MB

MD5
ea6c6fc1c53e65ae7cca3100ee6f812c

SHA1
458cee47fb9e5ae03e384a44659dc40c692a3307

SHA256
7580442c7abb771102a47e6b4a18cafb1b576ad48704a9ff28a577afc4a78d19

SHA512
203cc88194053f8b74d404ae0bf4d73bfe3b883038e60254758add64818298dde966e34f7b8ef9234240da6ef245685fa5415e9a5c0344694c153281cb16319e

Download Submit
C:\Mint1P\dobxloc.exe

Filesize
362KB

MD5
b5a4f404e314653c251f41e8e6ff1506

SHA1
2481e42e62dd0e166bbf8b201ced4fb0f97c0c4b

SHA256
29dee0c5a77b281b607ce6acafc6a643fc5c05ed1c1259281c9a2065c633f64b

SHA512
5b7cd57f124bea1e5bf4d8340bf5d6fb5c3de99c10eb2d81af2ae842f1b94a4f81bc1caf430b783099534829c76983bbb922c7f91df646950bde44c64d46ca6b

Download Submit
C:\Mint1P\dobxloc.exe

Filesize
2.6MB

MD5
1a2d5de7c59e41508ce0d7f8d6a62e1f

SHA1
6f001670d6d7263fde5c78faad097500e6e4f66b

SHA256
f56f4fa88928d16ab453be3e439580471b995d6d37d2ff73ab5a7993009147c5

SHA512
93783f19c08ef4877d72fc4107eefc9abb8002cf255ba1759efece6e95009313c7bdaad47633fa70e90692f811ce2cdb8f23f9610885eacf252a9db1143c0651

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
b587bae54bdc57e25bac41bc36002a4d

SHA1
73d3e7b5a42a833842d4d4ce523e4dda8e8c7351

SHA256
b24072800561e95887d8324a55520285cb7c604947c667ba45e9c03ad61d1bfd

SHA512
2a5d574aaf7ea39d5c5531e6b21e7010b7c53f7c1d65576615b1056a2c604db38702e6bbc3f57a52789cfcbf8fb9aa6b2b392bddc1699c5e30131874ec76c6aa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
658595c63053f5feb84cb862b621369e

SHA1
7927fc8277c10807e70d6b9cccba94e30b4903b1

SHA256
5cb94cb047bdcde3dd62590fa57ee2ddfceacc98dca36c0bcd8ff6d1681c81a7

SHA512
a44620da47e3ffa901e61c5afafc2f696549b6022f3bf9ba834d35990399c6b2cae3f4bb72e803ffb4371ae2cec40211c319bf04ea76aa58e179ed34f25d7ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
c10740d015296f28624d1b17db2c153b

SHA1
64a766d426de1c6d48fd07f959593614f01324f7

SHA256
29aa4d2c3f8892d4a1ca9e6fb442999380d618f3a0f10ad1bb6d229ffc49fc52

SHA512
319fdfbe5b539e4cc9109e71a85ec90d0e0bcf9c977d1ac20333f4a140fff4e568c69ad725c0725b221ac4e96207f0fc495947f175a91366cc56809682a4f09a

Download Submit