26d0f8bbea034e94934b5e138d5bfeb8c8e3a60967571a212ca4743dc4255386

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 23:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

853aa45dfc957703c23d4cb7056c9040N.exe
Size

2.6MB
MD5

853aa45dfc957703c23d4cb7056c9040
SHA1

2b397b31a5f7258cec43db9ec654204459b578d6
SHA256

26d0f8bbea034e94934b5e138d5bfeb8c8e3a60967571a212ca4743dc4255386
SHA512

3417ffaade5ffb045ec859d19354dd4e718e27dd6ce1f22138f25b0590d49f6a100d94d1a8f12737a8d54b647499745698c196a691a536d3fbc78d8ac7b999d9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	853aa45dfc957703c23d4cb7056c9040N.exe

Executes dropped EXE 2 IoCs

pid	Process
2400	locdevbod.exe
2752	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	853aa45dfc957703c23d4cb7056c9040N.exe
1872	853aa45dfc957703c23d4cb7056c9040N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQH\\devdobloc.exe"	853aa45dfc957703c23d4cb7056c9040N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGO\\optiasys.exe"	853aa45dfc957703c23d4cb7056c9040N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	853aa45dfc957703c23d4cb7056c9040N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	853aa45dfc957703c23d4cb7056c9040N.exe
1872	853aa45dfc957703c23d4cb7056c9040N.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe
2400	locdevbod.exe
2752	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2400	1872	853aa45dfc957703c23d4cb7056c9040N.exe	30
PID 1872 wrote to memory of 2400	1872	853aa45dfc957703c23d4cb7056c9040N.exe	30
PID 1872 wrote to memory of 2400	1872	853aa45dfc957703c23d4cb7056c9040N.exe	30
PID 1872 wrote to memory of 2400	1872	853aa45dfc957703c23d4cb7056c9040N.exe	30
PID 1872 wrote to memory of 2752	1872	853aa45dfc957703c23d4cb7056c9040N.exe	31
PID 1872 wrote to memory of 2752	1872	853aa45dfc957703c23d4cb7056c9040N.exe	31
PID 1872 wrote to memory of 2752	1872	853aa45dfc957703c23d4cb7056c9040N.exe	31
PID 1872 wrote to memory of 2752	1872	853aa45dfc957703c23d4cb7056c9040N.exe	31

C:\Users\Admin\AppData\Local\Temp\853aa45dfc957703c23d4cb7056c9040N.exe
"C:\Users\Admin\AppData\Local\Temp\853aa45dfc957703c23d4cb7056c9040N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\SysDrvQH\devdobloc.exe
  C:\SysDrvQH\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZGO\optiasys.exe

Filesize
2.6MB

MD5
1dbec3ab6e5d419ac93e9792a57779ad

SHA1
e55ed001f6104fa44f3d1b95b941112da997f781

SHA256
8101ab2211c40c9b6640ddc44b57290789a2ed80d82dc18669b763d64618299b

SHA512
e8854b0290e4e9fded66f7dcb276a0b7304b9ef953f2d1ca9bd9380ee5d7756ba177023379319edee46e6f5b6c794accc624aad024974ad0bcc7faab8c696645

Download Submit
C:\LabZGO\optiasys.exe

Filesize
2.6MB

MD5
95c3be260a13a0e2d992729d165dfc25

SHA1
e650ec296e2bdf481d3bffdb325fc5d16b567b37

SHA256
1a1b58402d157404447cf02c05b505a71f964f0238ce1f9b5b58589cbe91d155

SHA512
26024dfe16b67ba98cf469c5d004e84f6ab179146f838ad500dab4d4c77ac4f9637084aeb7c94a07a235bcf10216530513aa4577d70f4bea57b5a385e37f1d31

Download Submit
C:\SysDrvQH\devdobloc.exe

Filesize
2.6MB

MD5
0d661f762e69e65df52d386dd8aa7eb6

SHA1
258c71364b57e3e62c4f1463bb83cc9ac1892544

SHA256
15a6b906780fbf0e4dff8b1fd7642262c78685a11265763f3bbe53f16602676f

SHA512
df49fe314edf76ad414ba111037d07faa55043554bc43006a1465f8db5ae493c6d067f5740a158293a16bf953e4b7d913e8a33a193acc02bb147b7e648b70d63

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
818eac5cb8a8adfff76bf734e7c24b00

SHA1
d57fb47c5cab4340134b6c3c8e98043a85d231d3

SHA256
b462429bad0ac500340f23d303d2dec49fdf2f1b4718e79cbee4228a53f5b755

SHA512
9457882b628c98f58b4a10d37c821ca4dc732fb67440c47610759d64e936d8e4f93cb0676aa5f3ca5ab97e18088a728f6ad83084aae7344e700cd20929c43cdc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
0ce4123fe98960c080388610cd927d5c

SHA1
bfd400cc1f7f1552b14bcabb8cd1a0d02d330d32

SHA256
a7bf1aa879a071a8470c1ed4f8b0178fb3ea2ecfdac5d81fb93c91b8b3751e4d

SHA512
5d2398f684070963e0d84f2f79542b3ea072843ab9d22ddf38e4ce00ce7015aeeaace9c80644d2a4966190fc3e2510d0ba09593317045a111fb269a1dad7d1f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
4e93b3ae16ca482477c4d9b520207e73

SHA1
7782649f787638dae79a2d7fe35856f9273e4f56

SHA256
c3a59e9abecc62bf3ef461fd9e2025f0ff96dcb2e50cb7ae9a0baba3156649c6

SHA512
1247ae19f6e74aaa9011c2d96c5359c9c63d3a4d351fa3541382dfb913578fe2033cc859b4db5378596e43146d9e9ee93fa69820248fa5d9074dc16291c2d874

Download Submit