a731a29140de578595f9047680b811c89ea3c33f5a05cff251fbf104e4f3c542

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e9d701097d04698f79e1666583d8d0N.exe
Size

3.2MB
MD5

09e9d701097d04698f79e1666583d8d0
SHA1

3ed675da18525a87f7ca9cc8012f58fc36eeb7ff
SHA256

a731a29140de578595f9047680b811c89ea3c33f5a05cff251fbf104e4f3c542
SHA512

0ed99d85158d559e2d7f3ea32c969a6e23c8a465d9cef9d7875066cccf63b13c173bb13c196c74fbbf7672382000f8f24173a36799585bb77f23055a259989b2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpbbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	09e9d701097d04698f79e1666583d8d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	sysdevdob.exe
2484	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	09e9d701097d04698f79e1666583d8d0N.exe
2392	09e9d701097d04698f79e1666583d8d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint84\\optidevloc.exe"	09e9d701097d04698f79e1666583d8d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRH\\devoptiec.exe"	09e9d701097d04698f79e1666583d8d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09e9d701097d04698f79e1666583d8d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	09e9d701097d04698f79e1666583d8d0N.exe
2392	09e9d701097d04698f79e1666583d8d0N.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe
2172	sysdevdob.exe
2484	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2172	2392	09e9d701097d04698f79e1666583d8d0N.exe	30
PID 2392 wrote to memory of 2172	2392	09e9d701097d04698f79e1666583d8d0N.exe	30
PID 2392 wrote to memory of 2172	2392	09e9d701097d04698f79e1666583d8d0N.exe	30
PID 2392 wrote to memory of 2172	2392	09e9d701097d04698f79e1666583d8d0N.exe	30
PID 2392 wrote to memory of 2484	2392	09e9d701097d04698f79e1666583d8d0N.exe	31
PID 2392 wrote to memory of 2484	2392	09e9d701097d04698f79e1666583d8d0N.exe	31
PID 2392 wrote to memory of 2484	2392	09e9d701097d04698f79e1666583d8d0N.exe	31
PID 2392 wrote to memory of 2484	2392	09e9d701097d04698f79e1666583d8d0N.exe	31

C:\Users\Admin\AppData\Local\Temp\09e9d701097d04698f79e1666583d8d0N.exe
"C:\Users\Admin\AppData\Local\Temp\09e9d701097d04698f79e1666583d8d0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\AdobeRH\devoptiec.exe
  C:\AdobeRH\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeRH\devoptiec.exe

Filesize
3.2MB

MD5
7fce89a7f459847c3af67a2995a541a1

SHA1
3d01ef128191647875ebcd9ac7400ec3fecfea93

SHA256
4f8b7e1860958c4dbee24641b6a7a43279f4ef2c02e564486fa524d885171e18

SHA512
0dfebb3d274c9b087ffbebc70c56ca6746861611ba7d1b0b734c68f9dc2d4ecc0dcd7789bddaaaa02433678316979955c13b7051c04fcdea0a7f9c81d8242c47

Download Submit
C:\Mint84\optidevloc.exe

Filesize
3.2MB

MD5
1191c375fc3afde0985ccc7199eb1573

SHA1
701e5a4037d93f08a37fb43e06651fbf99b8ea9f

SHA256
f4ef66f6f4cab4b21b86de53ee90bf00a3fe409a93904d2cf1dfc6d7b0298fe3

SHA512
15c11f265feaafaab628b2d55d88b49aba7386ea6ab2e4999ecf62e2be978cd4eb1287d77ec07d944cfd99353a0e79234f15b5232e8d3db7074252891639c48b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
3bbda992e5495dee789273db14e50efb

SHA1
7411b3ab593fbe9cdb48e214729bf75a503d70dd

SHA256
194bc06a9a3835f254261458d7c66ad2c26075e657e32683065840bce78d19cd

SHA512
9f3bab4acaa59083cf515a1700090bdd60d2fdbd6bb33fe4bbb376899f2ae508ac21ee7c4e28abed0a7339eb97d338b02647ff9e0c8d0283e68300328f0e708a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
16ade974017b78dfb90a69a752a3bb21

SHA1
15ff2151ad942e4aa2923bac917ac2dee514f832

SHA256
0e3ad2636bb552cf5d8e02099d16730d19ffc2adc81f8e27fd22ceaa8902c710

SHA512
c8c17908241b8744e23439bd7b10940f1ae8a47124e880a74944fb63c1cd8066a798df68edb71a745eb69002da5ef21a97e1c490f0bb74364808f77c24358068

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.2MB

MD5
e48d661d405656b79c381b40998575b2

SHA1
bf41cc1f6bc61c83f43b5d434c0944277375fa62

SHA256
aff4692c56b05edb34395038aecec3c45f615b04c77d8c4c8b43ec944b01f115

SHA512
3451a4608c66b77b3420880fe75b8db488ae994de0a3373324b89413fe895d92c2d01d84d2072571d961988be2fcea5a07e4cf2b082698985fa900b4474d247c

Download Submit