05928d7ec67a09d2a0735311d48be25e09ae1de431a11a5f92d5abcd1063a111

Analysis

max time kernel
119s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a7270f6f685316254f1fcb5833c6a40N.exe
Size

2.6MB
MD5

5a7270f6f685316254f1fcb5833c6a40
SHA1

bf89cabda66c8728a9010be06704033e4dd7e6a5
SHA256

05928d7ec67a09d2a0735311d48be25e09ae1de431a11a5f92d5abcd1063a111
SHA512

ea1e5528b12493c5842414bfa4346625ace3f45ad0768dca74fad51460da29f9422eee175627082db2a929666aca9d63486c5a771de237e2cb0e4c0b6a7669d2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	5a7270f6f685316254f1fcb5833c6a40N.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	locadob.exe
4832	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotV7\\devbodec.exe"	5a7270f6f685316254f1fcb5833c6a40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAA\\optiaec.exe"	5a7270f6f685316254f1fcb5833c6a40N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a7270f6f685316254f1fcb5833c6a40N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3716	5a7270f6f685316254f1fcb5833c6a40N.exe
3716	5a7270f6f685316254f1fcb5833c6a40N.exe
3716	5a7270f6f685316254f1fcb5833c6a40N.exe
3716	5a7270f6f685316254f1fcb5833c6a40N.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe
2736	locadob.exe
2736	locadob.exe
4832	devbodec.exe
4832	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 2736	3716	5a7270f6f685316254f1fcb5833c6a40N.exe	89
PID 3716 wrote to memory of 2736	3716	5a7270f6f685316254f1fcb5833c6a40N.exe	89
PID 3716 wrote to memory of 2736	3716	5a7270f6f685316254f1fcb5833c6a40N.exe	89
PID 3716 wrote to memory of 4832	3716	5a7270f6f685316254f1fcb5833c6a40N.exe	90
PID 3716 wrote to memory of 4832	3716	5a7270f6f685316254f1fcb5833c6a40N.exe	90
PID 3716 wrote to memory of 4832	3716	5a7270f6f685316254f1fcb5833c6a40N.exe	90

C:\Users\Admin\AppData\Local\Temp\5a7270f6f685316254f1fcb5833c6a40N.exe
"C:\Users\Admin\AppData\Local\Temp\5a7270f6f685316254f1fcb5833c6a40N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\UserDotV7\devbodec.exe
  C:\UserDotV7\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAA\optiaec.exe

Filesize
2.6MB

MD5
26c3477c90cb5b634eba644e0e74937d

SHA1
061ec0ad79b2f2e79e3a1c6417485ffa5f0a7a80

SHA256
e8f71c44ccfb5e9475cedb76a3dc6008bfd040ad01c3154dfb7573ab486143f8

SHA512
38a3bbd8ad0a37fe2dd08bb8edfd8a9f12fc776dc99ab7a09414ca334b3c085d4f969fc3c368bfbe84c06765bf101fb52f9e365a6266cece784fb5d852d47181

Download Submit
C:\MintAA\optiaec.exe

Filesize
2.6MB

MD5
a11c1e8f72aefaf3e38723bc8df251e6

SHA1
f53a559f2d95b024aeff887da16c82b7616f7fcd

SHA256
2eced208a5e6e11c6c1ea46a876ecb91d9340c5abe0019c5129758e5e28584e8

SHA512
d1e694b4887c9a870b75d0b99e996159e820721f577369fe383415da8996ee71aba45b8d1a62e847248e5c55a6d3946c4ab1e5362cc75e9583962926eb11b08a

Download Submit
C:\UserDotV7\devbodec.exe

Filesize
2.6MB

MD5
fccc0133f013a2b3772b47e6f23d859a

SHA1
811364e8038942cb58fde3326c20d2557c45ec47

SHA256
c886208ab2a3cb537643df6f9e0f6c913ff3e9bf6006d28556c5df234918847e

SHA512
79a7b7d918d1edec563bb8c8bfcaa6351df300fb2f87e603b77b6b54124e7035f310e30e1832f9178cf7a137b3c194759d86ebffb58bbe41b7d09705b2c78654

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
d126931bf8da4ecf2ccc2516ae243d7d

SHA1
40b9a5c7f7f0edd47e16e8801ccd718a6ac9e03c

SHA256
0bdefc9222d5aabe12ebd05f3e3d11292771e1c644e231cdf18dbe9ee38ff01d

SHA512
814b7d63ee3a5ae447f4d4f9dd4fcd89b209d04d266b772233a4c5eebd01506424c477837e3b2654c30f2fccdc84dbd1a83e00f534734ae39e65e17caaf7a6a3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
963c29b0f0497c66510a995f937fdce6

SHA1
a0734fa045ecfbef5f73d0fa57d50e8476cf6f74

SHA256
0d12ea608f49c77df0a7ba99978e33fb11f3638c52f74fd77b29b17020a0e276

SHA512
721e5169fe2f500d9c4d6611f07ad3dd593b6b5d460fb5cf5aa793e8713ff194719907b1126dc2174ecf56758c5a666c191bc974ed1af9c9877154c9baa0d461

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
abb83eb77850b34618794b46ce9cbff7

SHA1
0714ab5063f807948a923a765b989d9ff64ca4cc

SHA256
35258b1e3c4c1bfd24a8f916418fbabc62be83b4c052587551f9a520f0543164

SHA512
5e4659ccee87d6bd549bdde9cec1dec5f84def52d37ba7346fb7ea7ca695b60369b5675ed2860036517dfe818394834fd724ca648fc2c3d38170288133bc83d3

Download Submit