e3352c204245b7ab73c3b1210b8cdb6d0b779cc5820996a509b64ca5a608902b

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9685165a0671d9571420d4d3290f6ae0N.exe
Size

2.6MB
MD5

9685165a0671d9571420d4d3290f6ae0
SHA1

a3fa639237e701401f5ec5a83277b49d504b3fc3
SHA256

e3352c204245b7ab73c3b1210b8cdb6d0b779cc5820996a509b64ca5a608902b
SHA512

7bfbf62cc524bea401b89f00b368004032fdef1feb3013c96cf205e836614b069fc6b6790bcec2a93d7a017b38aa52511b4bec1b809de1fc4573f878bb5173e7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bS:sxX7QnxrloE5dpUpab

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	9685165a0671d9571420d4d3290f6ae0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1808	sysdevopti.exe
3200	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesO0\\devdobsys.exe"	9685165a0671d9571420d4d3290f6ae0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT9\\optidevloc.exe"	9685165a0671d9571420d4d3290f6ae0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9685165a0671d9571420d4d3290f6ae0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	9685165a0671d9571420d4d3290f6ae0N.exe
2564	9685165a0671d9571420d4d3290f6ae0N.exe
2564	9685165a0671d9571420d4d3290f6ae0N.exe
2564	9685165a0671d9571420d4d3290f6ae0N.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe
1808	sysdevopti.exe
1808	sysdevopti.exe
3200	devdobsys.exe
3200	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1808	2564	9685165a0671d9571420d4d3290f6ae0N.exe	88
PID 2564 wrote to memory of 1808	2564	9685165a0671d9571420d4d3290f6ae0N.exe	88
PID 2564 wrote to memory of 1808	2564	9685165a0671d9571420d4d3290f6ae0N.exe	88
PID 2564 wrote to memory of 3200	2564	9685165a0671d9571420d4d3290f6ae0N.exe	89
PID 2564 wrote to memory of 3200	2564	9685165a0671d9571420d4d3290f6ae0N.exe	89
PID 2564 wrote to memory of 3200	2564	9685165a0671d9571420d4d3290f6ae0N.exe	89

C:\Users\Admin\AppData\Local\Temp\9685165a0671d9571420d4d3290f6ae0N.exe
"C:\Users\Admin\AppData\Local\Temp\9685165a0671d9571420d4d3290f6ae0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\FilesO0\devdobsys.exe
  C:\FilesO0\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesO0\devdobsys.exe

Filesize
2.6MB

MD5
3e474b25c5fa70d1218270ec5bb579d6

SHA1
4a127658bfa7ef9fb033597fb2da4ac7eb9c3c1b

SHA256
83bd67965c97ea29c0b72a8ab543212d91993d3503dbab4e15188eb8ae97cc67

SHA512
18eefab12933a3233a227ea6732486e29e76a41cfa4e9cb907f05d2acfb1b909a8eae88238e3eb0e1d042b595852a08d9b926c4e9c20ef3a220e5c8de1b3ee64

Download Submit
C:\GalaxT9\optidevloc.exe

Filesize
1.0MB

MD5
b617387d8f99b7e9942a665827c1a50b

SHA1
643940555b4cfd2b1a965eb5b89d51b993c9c318

SHA256
55c59745a02ff9c12af0cd74e33d391abd3ec692d3699576f34292d8905d87e3

SHA512
31f7aa600f27b4f7c0d3e8960ee2c71a57ca37f99cc166a4a5f480441f47fe5c3af4a6b2987ebbe88692cb79f30d970d5ba888607fc164118cb3ca8cc3b44f47

Download Submit
C:\GalaxT9\optidevloc.exe

Filesize
778KB

MD5
6bcbeec8188f0054fa9ef35f48c68686

SHA1
6e4da209cc3a9ae9df0b90fc32394c72138f9d25

SHA256
2404925e5412015fb2bb619f8fca405e5322e386d4b4299f095296cf6e4eca58

SHA512
8c03790698dbeddc3bef1c7c09d58f2e37e637f318c12a8cb23a85346fa4b23f2bf89d3a29862f2bb5254f2b3c09ea66831eb1c72ec8d0e384f316bbee858421

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
b3fb94bbdada32cb8c1ec8fb1be77728

SHA1
267580bbcd24fd7ce2108a508bb8dd241ecaa9d5

SHA256
f16015dbb682400db15c60d38dc72b940230d1e1c403fda72c726ad3afd43264

SHA512
308cdceafa0ecab321000d217dbf064e4aea6e4f7778cf73f4bb03ae2e56286a99bfdf5c631c0df8a9ccffe474b38da2974ae1bd881cf576ae4751bcbdd1307b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
177B

MD5
8c42764b3751f2a2c0bee75ffc438dd7

SHA1
98de658c18ebf7448383a772bfd38852a989c666

SHA256
98ac131cbb3844757ac682339964145e68dc3ef0f432cbe1f96df32219671f12

SHA512
d362387e61778804963b997d99115a24b567493a30d2625f4273a84714332f3980a66dc526fa5a59477d5af5c445c54f5eb7ca8f4e2b46d2c77de70ab0bc3c84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
7041d97add831f3c642893161b013675

SHA1
47d456854ddb3c18fb8785fd9800668f61caa8a1

SHA256
a945f8ace56fbd7e6d890672473e71dae2a8f08cb01408c287dc52cec6ec2054

SHA512
17f6cf45d98145f71d4df933547f72ba272ae97eb703f6d54639b82613ceb570982b94d4ae0ca4b9afd9297c257e77e7e78ec8e7318c85c85c8cb6a8589ab6e9

Download Submit