502b5a17e5c62cbfb5052e2756235240877cfd7db0003b6764cc0cf785a962ec

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4644ff643e338dba4beaada055ad79a0N.exe
Size

2.6MB
MD5

4644ff643e338dba4beaada055ad79a0
SHA1

e9ce05dba27d1a730f6bfb77ca455e0910150d6f
SHA256

502b5a17e5c62cbfb5052e2756235240877cfd7db0003b6764cc0cf785a962ec
SHA512

8602b6c5ca2e84070da59ef12228ea5c6d5be3adca111d47f8502fd6a806895ce3e0676d3cf6d7ad8e593b831c9145d0a40692ed96fec197beda41fcd3eabe87
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpbb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	4644ff643e338dba4beaada055ad79a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2392	sysadob.exe
2800	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	4644ff643e338dba4beaada055ad79a0N.exe
2760	4644ff643e338dba4beaada055ad79a0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH4\\devoptiloc.exe"	4644ff643e338dba4beaada055ad79a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOE\\dobasys.exe"	4644ff643e338dba4beaada055ad79a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4644ff643e338dba4beaada055ad79a0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	4644ff643e338dba4beaada055ad79a0N.exe
2760	4644ff643e338dba4beaada055ad79a0N.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe
2392	sysadob.exe
2800	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2392	2760	4644ff643e338dba4beaada055ad79a0N.exe	30
PID 2760 wrote to memory of 2392	2760	4644ff643e338dba4beaada055ad79a0N.exe	30
PID 2760 wrote to memory of 2392	2760	4644ff643e338dba4beaada055ad79a0N.exe	30
PID 2760 wrote to memory of 2392	2760	4644ff643e338dba4beaada055ad79a0N.exe	30
PID 2760 wrote to memory of 2800	2760	4644ff643e338dba4beaada055ad79a0N.exe	31
PID 2760 wrote to memory of 2800	2760	4644ff643e338dba4beaada055ad79a0N.exe	31
PID 2760 wrote to memory of 2800	2760	4644ff643e338dba4beaada055ad79a0N.exe	31
PID 2760 wrote to memory of 2800	2760	4644ff643e338dba4beaada055ad79a0N.exe	31

C:\Users\Admin\AppData\Local\Temp\4644ff643e338dba4beaada055ad79a0N.exe
"C:\Users\Admin\AppData\Local\Temp\4644ff643e338dba4beaada055ad79a0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2392
- C:\IntelprocH4\devoptiloc.exe
  C:\IntelprocH4\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocH4\devoptiloc.exe

Filesize
2.6MB

MD5
4ede67ad2e61afbac30c04a02ec0898a

SHA1
15630d0901a17ff35f910d3da0ece6fa1f052afe

SHA256
a19fd4b6049c48ccf22f2b7704e59909680c9e2e4261e98d43c7966b3be4998a

SHA512
af2f8d25edf004cf8f06e697576bb7a35832a2b27d60c4ad4df8833c9a212fce68fc4549cd262767c9f4a42157e9b8a481a6a90f0e2e4b6efda6e93a57186f2b

Download Submit
C:\MintOE\dobasys.exe

Filesize
5KB

MD5
35d5f2180b8da2eaecad0679e66dc251

SHA1
3e782e20becd6567750bacb04faafd148aadac06

SHA256
2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

SHA512
15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

Download Submit
C:\MintOE\dobasys.exe

Filesize
2.6MB

MD5
abfc60be780bf43347f978c6045ed639

SHA1
c8e6c3cd43ea250015589b37d5a5a854cc7ee506

SHA256
f17f882d966476ddd77c579aa8dfda397e0a400f386c78bfd38f1ec2bfb64205

SHA512
2bb3be7a5df39a78ac2f365cb7d9e697c6ca291f354b21c73ff7579bb67d1063e5340d2b540b3d8b6f8b1eff30f43f724a8e56d25f7a676acdcd5736c88d8672

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
e67d620e51c7c141d3ab3614f0c5a186

SHA1
4e55daf86b2b8a13d5b335c163a72b3a4da9dd66

SHA256
15a2decdf9569f43258cfc546af84cd8f8f69ebc93f349f8d32cffdea6f6c051

SHA512
d1d630eaf71306cf3af0dd9684a615a029c6ca076f80a2b0604f04c37e3d1699ae76fb06e975e239dbcd064d51980943253f1cd62ae49ad47908ee3661b81973

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
06018b9a0bbc632dcccddd43cee4d72f

SHA1
8b3ee9ecd5150ffa5c42acbc7d6d96d2e4bed344

SHA256
c59cde484857ad62bdaee2316cca5c208d95700337b44cb33f205e2fa165f3b9

SHA512
4fc2044517e8ebe1cd81c19429761204041263d2ecf742e93826ed9288486c562406cf409ffb44a3041cb2b563cb7b8da5ff9ace11e1941a4807466bb4e24537

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
029d8548df2adb1fc59605b939bd75cb

SHA1
dbd130bb925e6ae6cbbe94dbd03a948558fb73a5

SHA256
85f0c2add278470ecf9e7e63bd986f82525dc6ef8bdf91da56281cdaf5d044ee

SHA512
69b87c140d14475d1493340f427c0bca5933124676b89f5154d6e6522ebe32385f00e7798286016d619424b9ec4ebb79802b0631585de68895d720da1d510015

Download Submit