c5b461a05c4af0147c0958521d9b2d79dfe37217b2a25c3c61270c67afd26b81

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 13:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dae87676f200f7498022820abf450ee0N.exe
Size

3.1MB
MD5

dae87676f200f7498022820abf450ee0
SHA1

a1711b48e0ce0f25ebf41eee479f29a76b156a2b
SHA256

c5b461a05c4af0147c0958521d9b2d79dfe37217b2a25c3c61270c67afd26b81
SHA512

b3f0f92ed509306a444d527c8d74ffe991e93747cbd87b0e98f9df9ef8b046136befcf38fa57dcf2fd7769592e314f5a122fc0f4378c4eeb5f0840bd7030513c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpWbVz8eLFc

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	dae87676f200f7498022820abf450ee0N.exe

Executes dropped EXE 2 IoCs

pid	Process
972	locdevbod.exe
2872	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2348	dae87676f200f7498022820abf450ee0N.exe
2348	dae87676f200f7498022820abf450ee0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc62\\devoptisys.exe"	dae87676f200f7498022820abf450ee0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZE3\\dobdevec.exe"	dae87676f200f7498022820abf450ee0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dae87676f200f7498022820abf450ee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	dae87676f200f7498022820abf450ee0N.exe
2348	dae87676f200f7498022820abf450ee0N.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe
972	locdevbod.exe
2872	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 972	2348	dae87676f200f7498022820abf450ee0N.exe	29
PID 2348 wrote to memory of 972	2348	dae87676f200f7498022820abf450ee0N.exe	29
PID 2348 wrote to memory of 972	2348	dae87676f200f7498022820abf450ee0N.exe	29
PID 2348 wrote to memory of 972	2348	dae87676f200f7498022820abf450ee0N.exe	29
PID 2348 wrote to memory of 2872	2348	dae87676f200f7498022820abf450ee0N.exe	30
PID 2348 wrote to memory of 2872	2348	dae87676f200f7498022820abf450ee0N.exe	30
PID 2348 wrote to memory of 2872	2348	dae87676f200f7498022820abf450ee0N.exe	30
PID 2348 wrote to memory of 2872	2348	dae87676f200f7498022820abf450ee0N.exe	30

C:\Users\Admin\AppData\Local\Temp\dae87676f200f7498022820abf450ee0N.exe
"C:\Users\Admin\AppData\Local\Temp\dae87676f200f7498022820abf450ee0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Intelproc62\devoptisys.exe
  C:\Intelproc62\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc62\devoptisys.exe

Filesize
3.1MB

MD5
60e958529a098543ad668ce85fb05170

SHA1
e03fcfd0e0b3fc13cfd2f5cfe2d63914aecedfbe

SHA256
e77cfee87c52f9fc368ad344122be6ceed982914503f88b365aa81e48d22e69e

SHA512
909841fab5d432c3667e2dc3cdc92a160d2d47cc1a1b3324ad22954016f5271c0721f203b27c1eba3fa9531fd27c82914fe0806f9d837bac6cd65d5495ed0be7

Download Submit
C:\LabZE3\dobdevec.exe

Filesize
3.1MB

MD5
d95f83d57fd979daa88d4861a6e9c6e4

SHA1
4a926c83658c9caf3074eb2fcac4a2397c30a5f9

SHA256
23f4edb51772f71360e48871f904ebe71d86a4645fafe3be1bdda57a7f2ee6e7

SHA512
e63aae49f338c51731476b1816aafc54e0b0cdbee38be907c6c887ebdfd81e535c2965c8e343b2517976f7638fe627213119027bf0c846da4838a588202af630

Download Submit
C:\LabZE3\dobdevec.exe

Filesize
3.1MB

MD5
140a5b489ff7af5194a7dd1a0d95a1f7

SHA1
a355e26e6f4785097a81de8b317fa37ddf4f1358

SHA256
72d7c8530b2235fe345ff9650549385dfd84dd19ec015644756f3fec8f909f76

SHA512
733653f85c1ca6263f67acee9d39c2fc5cc79c396f391a388dfc13185a1f57b4b56999c6219bc649af03a9d93fe5aa308921ff9ac2bdc131791430f8c2f20d56

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
178B

MD5
b91baf4a2cd88f3b5e1333c14f4faae4

SHA1
ff11d4862e8c6539a271726c532008802d734812

SHA256
c022464baedf55d7c456bb336f02c222cdabd7f198fb994f2f71125f3e040307

SHA512
b20ae35b6a50898b03da4b6393c34b1f4e9fbef647e6a52ad152eb3456b71f6ab50925487c51d334c4404e66a9aa60e25626efb0f9a83d2a9e75e9f336845303

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
210B

MD5
9b244f457a5fee501fa001c9faec1774

SHA1
3cd291435d42ca602c299b1ccf1fdac464cb1009

SHA256
d88f8a8639cc688f9cc3713a5a0c1520071947bcb572dfd87034828ac8e711a3

SHA512
49f32ef72f4578fb4805b7c7bd2e8035d9cda0df786a8dc22b4718a1dce020c24495972caef07f9851de5567dba6b7d08dcde3c452daadabc1dcb7e523538141

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.1MB

MD5
7368652ec9ee5da71fc1df613109a9a2

SHA1
232170269eca906650aa7395e9570f45734bb6dc

SHA256
52f4246c5b58204216e9df99bd8c97ffc18392fa04f9ddaa767a076151c4eda4

SHA512
80f565ccae1d28076aeaf784310fb4c33ff67bdfe38b9328d9488927675b3b2e03d1cb2733dcac32730b4d7b558843d1d3293925732c66ae3ee4bf1f90c29bb1

Download Submit