52c4c8407732887443c22ac5384f9c0449466f0dfa85f3089c326c3cfc1cb38b

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5df9419512358808c38e59bcebf0f680N.exe
Size

2.6MB
MD5

5df9419512358808c38e59bcebf0f680
SHA1

26e87b3c46f4dcd656d0a1ed7659dd3819f7ceb0
SHA256

52c4c8407732887443c22ac5384f9c0449466f0dfa85f3089c326c3cfc1cb38b
SHA512

a9f70a3215a514fd7f1e2105ed5c771b5ba6e41ed18770f59a6eb208bfa0737805d5236027f1d21d7399c6ca436cdc270756c11b2e31f943eb1d0f40d76594ae
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpab

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	5df9419512358808c38e59bcebf0f680N.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	ecdevopti.exe
2264	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	5df9419512358808c38e59bcebf0f680N.exe
1684	5df9419512358808c38e59bcebf0f680N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJP\\devoptiec.exe"	5df9419512358808c38e59bcebf0f680N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCD\\boddevsys.exe"	5df9419512358808c38e59bcebf0f680N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5df9419512358808c38e59bcebf0f680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	5df9419512358808c38e59bcebf0f680N.exe
1684	5df9419512358808c38e59bcebf0f680N.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe
2204	ecdevopti.exe
2264	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2204	1684	5df9419512358808c38e59bcebf0f680N.exe	30
PID 1684 wrote to memory of 2204	1684	5df9419512358808c38e59bcebf0f680N.exe	30
PID 1684 wrote to memory of 2204	1684	5df9419512358808c38e59bcebf0f680N.exe	30
PID 1684 wrote to memory of 2204	1684	5df9419512358808c38e59bcebf0f680N.exe	30
PID 1684 wrote to memory of 2264	1684	5df9419512358808c38e59bcebf0f680N.exe	31
PID 1684 wrote to memory of 2264	1684	5df9419512358808c38e59bcebf0f680N.exe	31
PID 1684 wrote to memory of 2264	1684	5df9419512358808c38e59bcebf0f680N.exe	31
PID 1684 wrote to memory of 2264	1684	5df9419512358808c38e59bcebf0f680N.exe	31

C:\Users\Admin\AppData\Local\Temp\5df9419512358808c38e59bcebf0f680N.exe
"C:\Users\Admin\AppData\Local\Temp\5df9419512358808c38e59bcebf0f680N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\UserDotJP\devoptiec.exe
  C:\UserDotJP\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotJP\devoptiec.exe

Filesize
2.6MB

MD5
32fc5c91b7b6f54e091168f68f00609a

SHA1
aee5e6edd009c7c2fdf4e5fac75291150416e185

SHA256
cd102c542a440ef7d9745b439ceeadf120836045e18af7d016eb5ad426485835

SHA512
d0c20320c9d4915b18a4e018ad77946212cb5c1fd5efe2ee26cf864a8ac72bf75f14c45c1c47302b0bee3ba873f1badcd8340cb81e2f20a790798468f8827881

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
b9b230fd72a4c6ecbfb34604593adcc4

SHA1
3dd994a2670f32f4ad70b417727b4c1ec7ca29ff

SHA256
df8dde1b178647ab5b64fcdebfb8eacc5d1c46bb6589419e4a62deb49925dee1

SHA512
7fe8270c1506cd50abae5ea7eab71f50f560e99c7d204430ab337a60c472ebeaaf63d2bfef2eecf79a4c5ac4dfcc6b362d4396e7dba53e1564d4c11ea785a19f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
1b95837fc5149687921dcab1aa01d9f1

SHA1
4046b1533ba9d072009c1a4ebea789da26d33dcb

SHA256
2f52984120102b238da37020e9baffef1607a667da7fd8dc085a78419763b187

SHA512
de8ae16c15b0bb69b81468a62192fef89556bf52d1af9907ed24399206a15bd5af388426ede0bc76ac97f81ee798a242a85f6031e6cbf3cebb6a4882249b02df

Download Submit
C:\VidCD\boddevsys.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\VidCD\boddevsys.exe

Filesize
2.6MB

MD5
14cd5e4da648154c2dd1d4d30d5c0eb4

SHA1
2197708badafcccefc71659626e3e308bc3876cc

SHA256
6ce6b73196f90f7f86b1cb3aef683a6e6ab244f07c487992ca2a61ddd801abaf

SHA512
663ae5d4fc9248deb81ca37d0dd80c89f3f02d8ebb4c1ecfcf28fc3c4d03d5d456f752ce6c14b35617577ec2eeab65ee44c6612495b30ab38ca978eba29c84fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
786ac6aa35348517d40ebd701139ce73

SHA1
8a5ff5644d6cec9b019aead5e2a8ed41aa3771c4

SHA256
c2c3a10b3e0dbfa6a0b9d0a5df05a7797dca4326a246e07a852b1f3311421b13

SHA512
aeb7a6e37d363699bef5bb4e63f5b4aa1a5a82eb8f6f1a54e42d967c961c6a7eb075e5b94c695df680ce6d93f9e50c1ccb08b69b825ca1a3fa820e14299f9573

Download Submit