10fb60e3a76c4f09a2bb7919c18b8d6ba8bd1669b07c3b0f345666e5b2f61135

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95b95924b82fd993ec29d10c00a58850N.exe
Size

2.6MB
MD5

95b95924b82fd993ec29d10c00a58850
SHA1

7477b6021da065d73529fc056898d5cdb6e00032
SHA256

10fb60e3a76c4f09a2bb7919c18b8d6ba8bd1669b07c3b0f345666e5b2f61135
SHA512

cf8fe15e4b48ce9e65501c1b031afe493ec5957937be9df70c941b98e7d157f11aaeb77929dfebc26e38a7d704d488ffcbd75f4e6f5e88e567fa2ed1a0194407
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	95b95924b82fd993ec29d10c00a58850N.exe

Executes dropped EXE 2 IoCs

pid	Process
2104	locxdob.exe
1648	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	95b95924b82fd993ec29d10c00a58850N.exe
3004	95b95924b82fd993ec29d10c00a58850N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0S\\devoptisys.exe"	95b95924b82fd993ec29d10c00a58850N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOP\\optidevec.exe"	95b95924b82fd993ec29d10c00a58850N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95b95924b82fd993ec29d10c00a58850N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	95b95924b82fd993ec29d10c00a58850N.exe
3004	95b95924b82fd993ec29d10c00a58850N.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe
2104	locxdob.exe
1648	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2104	3004	95b95924b82fd993ec29d10c00a58850N.exe	31
PID 3004 wrote to memory of 2104	3004	95b95924b82fd993ec29d10c00a58850N.exe	31
PID 3004 wrote to memory of 2104	3004	95b95924b82fd993ec29d10c00a58850N.exe	31
PID 3004 wrote to memory of 2104	3004	95b95924b82fd993ec29d10c00a58850N.exe	31
PID 3004 wrote to memory of 1648	3004	95b95924b82fd993ec29d10c00a58850N.exe	32
PID 3004 wrote to memory of 1648	3004	95b95924b82fd993ec29d10c00a58850N.exe	32
PID 3004 wrote to memory of 1648	3004	95b95924b82fd993ec29d10c00a58850N.exe	32
PID 3004 wrote to memory of 1648	3004	95b95924b82fd993ec29d10c00a58850N.exe	32

C:\Users\Admin\AppData\Local\Temp\95b95924b82fd993ec29d10c00a58850N.exe
"C:\Users\Admin\AppData\Local\Temp\95b95924b82fd993ec29d10c00a58850N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Files0S\devoptisys.exe
  C:\Files0S\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files0S\devoptisys.exe

Filesize
34KB

MD5
4cffe9dd8bbd3da88030f4da1f6ba873

SHA1
826833e760f12db0bafbbb60d5d1873bfb062c1a

SHA256
ceb6cb640c178e21cf623359bf8c327d17182d4a805736bf547899403d40ae56

SHA512
9d20318f4f687cc8f1c81fff1531eae68c39301144ce242017cfd5b2c7c3ad3254d7c725c7778a048d0d9b37c813e101d567735ad24770f1919af06e6a27a1a2

Download Submit
C:\MintOP\optidevec.exe

Filesize
2.6MB

MD5
48a38c7dee2d59a9a091ea48f60896ed

SHA1
02f674c36c281f6b5fab3a15d6d934943012a473

SHA256
0a8a6ee8955cf748c5692779b388400f93a886dda3fbe40d8ff1d2c7198d8c83

SHA512
7ec40a9e3f6c8fa9a27d6c422fbf98e0850b493562af2efa31d1dc251229e7397c779d44cd7a46e3080c7e3175b70e1ef87399f8f17d093bc6cef2e7b45a1020

Download Submit
C:\MintOP\optidevec.exe

Filesize
2.6MB

MD5
a0329ee563be6368035ecf3e946f7adb

SHA1
33c378ce76d3191d32af16dbc4d3cd63e8e200db

SHA256
d81930095509487179fea6141f09178ba8aa9e651b262d7851fdc8d181844bbf

SHA512
194d3293d5a30b458a2ff340432512b037616efa165932752bb087c431e5a2858d93bd261cd82e9b86f52787c732826aacbc9384c799a0acf8cecde7f033afe8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
20920cca9da55e329b4565df6bcb7f34

SHA1
53b118502209b8d71899cdad72f55e87c0a5989b

SHA256
abdf854b0bafee81aac640dcbddae09cd9971e9a54e2ac75f8fac3eae48ac3fa

SHA512
dfbf5b2ef00942679b93e28888781f12e596a171cf8485a092b9220a6487c2730ab9fa0b83041e31fb97d28db2261302ef9073d8f2964a6125c0615cd7157ee7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
bd773a5501a2bf88fd33ee7be0c7ef94

SHA1
e86e7c6de33c01db46adfd2eff17527eb3484994

SHA256
5cd10595b1cdb1f74e3738cbd47a443eb89987a8a26918e7a87849f0c6dc48c8

SHA512
d10370cfdbd683db9e29fd7f0b945fa8dd753c6daad264ff82351294ea038510922c4778ad6c24514aaee9ee62cc8064c1ac4476ef27f6f1f3859f93ed94f80f

Download Submit
\Files0S\devoptisys.exe

Filesize
2.6MB

MD5
18e80e39407501e5dec072bc13e4d489

SHA1
fb731bc21e4c7aab884902a545aabb88917267b9

SHA256
42b667ac6122b1f55bab61cf6b03fac590333ef01f20f1ac8184f3146dcfa92d

SHA512
311834b70c3a77013a87c233186d8cb8877cb04e3bc4782e6ffc0d26eb2a5bd9d281e54c4a5dd23313475bf2296cbad8c2a46655742968c8ae524d0a6e2f78f7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
4d87e7af0787d6fd4e98f16fe37a68c4

SHA1
e58d28a2cb37e00d9d80ee390024a5e14dd133d4

SHA256
d629e0e6f00771605f38da80cd1251860247155dadca4b140c5b06d5e4c46a0f

SHA512
4203b77e4eee6a54040cae94e841dc7ced36d52ba356da1a62f5d24a241d87007b834bdb7293c83e4da02527992b9eb1c9b98242bf87beb01d7cb264be8f518e

Download Submit