10fb60e3a76c4f09a2bb7919c18b8d6ba8bd1669b07c3b0f345666e5b2f61135

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95b95924b82fd993ec29d10c00a58850N.exe
Size

2.6MB
MD5

95b95924b82fd993ec29d10c00a58850
SHA1

7477b6021da065d73529fc056898d5cdb6e00032
SHA256

10fb60e3a76c4f09a2bb7919c18b8d6ba8bd1669b07c3b0f345666e5b2f61135
SHA512

cf8fe15e4b48ce9e65501c1b031afe493ec5957937be9df70c941b98e7d157f11aaeb77929dfebc26e38a7d704d488ffcbd75f4e6f5e88e567fa2ed1a0194407
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	95b95924b82fd993ec29d10c00a58850N.exe

Executes dropped EXE 2 IoCs

pid	Process
3364	ecdevopti.exe
1008	devdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLS\\optialoc.exe"	95b95924b82fd993ec29d10c00a58850N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7E\\devdobloc.exe"	95b95924b82fd993ec29d10c00a58850N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95b95924b82fd993ec29d10c00a58850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	95b95924b82fd993ec29d10c00a58850N.exe
2584	95b95924b82fd993ec29d10c00a58850N.exe
2584	95b95924b82fd993ec29d10c00a58850N.exe
2584	95b95924b82fd993ec29d10c00a58850N.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe
3364	ecdevopti.exe
3364	ecdevopti.exe
1008	devdobloc.exe
1008	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 3364	2584	95b95924b82fd993ec29d10c00a58850N.exe	87
PID 2584 wrote to memory of 3364	2584	95b95924b82fd993ec29d10c00a58850N.exe	87
PID 2584 wrote to memory of 3364	2584	95b95924b82fd993ec29d10c00a58850N.exe	87
PID 2584 wrote to memory of 1008	2584	95b95924b82fd993ec29d10c00a58850N.exe	88
PID 2584 wrote to memory of 1008	2584	95b95924b82fd993ec29d10c00a58850N.exe	88
PID 2584 wrote to memory of 1008	2584	95b95924b82fd993ec29d10c00a58850N.exe	88

C:\Users\Admin\AppData\Local\Temp\95b95924b82fd993ec29d10c00a58850N.exe
"C:\Users\Admin\AppData\Local\Temp\95b95924b82fd993ec29d10c00a58850N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\UserDot7E\devdobloc.exe
  C:\UserDot7E\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintLS\optialoc.exe

Filesize
2.6MB

MD5
1565306e48eab0cdd08f58e9cee9a786

SHA1
892a95190d9aabe5222617c07283dafbc0c07622

SHA256
378614538b65ba0fdde2f01f64559cf879325e39afddc4fed74ba6b8adb64437

SHA512
8a999860557b917e6e496421309959387fb2606610cd72af3ebee1dad8c2245bf7b085ebe79e2ee1839815e91ae23d276c924b2a2aedc6e8126602d4f5eb7dc4

Download Submit
C:\MintLS\optialoc.exe

Filesize
94KB

MD5
9712dc569832cc84d1418a7dd628db08

SHA1
9ecda76cde7210e81426cb7426fdbe16803a5c59

SHA256
e29d6e9466890f6e6dd8200bbc774f60a85a0819d8e09fb1a4bc10257a6fed59

SHA512
02faad91b5e986a613ef6301c71ed558ba138abe2955801d53111f24492f52c31610bce3219538c4446fd62726bb608e1079e0e269033fc55f679dddb2d650f1

Download Submit
C:\UserDot7E\devdobloc.exe

Filesize
342KB

MD5
218777322c8b756a99a8c4f265a3d649

SHA1
46da3dc0f1dd13ad8089b7bc899e1ed9fb67f194

SHA256
fea7a47bb662c6ca1b21bd2f86fd87fecf455d1c4c14d9a7c6504c0cb3cbf6b4

SHA512
fad1d110767890ea03886d349bceaf0dd54d99ff76a7ebacee3654d7b0f1db710d967a43a8c712f16b47f9562fd85fe54e920a93d1cae02b54d32d3e15dfab4d

Download Submit
C:\UserDot7E\devdobloc.exe

Filesize
2.6MB

MD5
fc4cf32de19824eb482819724b672ae6

SHA1
544a17130d6299236a0d8c0fb205378a84a5afef

SHA256
724e995f22d7cb860ea3bb4e4d422243bdaf14ef024b9a22ca3cdd25487a8b10

SHA512
2b3d90fc3b5125d74df10d7cebce1fa7482a34a29ccf764e69d4fb14de657254321776bcf721e00bab02d8da2e60c6209a5ae379ae8b96a4f28fd3168e747cda

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
7b4a282e9a0bd2fec879c5165f051f8c

SHA1
0c7eca796fc11ac91d4beab5c58db1055be150b0

SHA256
af27cfdf8887eb69bf33208b415910d0184aa4eb3fda00017a067b1a5bc7295c

SHA512
7eedb269076db5e47a12577cdd98442bf048ba52526a40b7c2b2acca78010cd7ae47607a3914cc3b03ac22be2c98f71c3c983fcd5e229fcae2009928f537264a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
3a928c11d07dacbcd708644d796ca32f

SHA1
6cde0f8c4cc970e771cd21fe8c3a8dc7505885ed

SHA256
906e73a1489957a73e79506340e5b4623a31f21118f5d1176f87d54cdcd4a701

SHA512
3b8ad93ff36f0a5cde11174f03fdc1366d26a04a27bec927f09f61765e4583c2e6fbc17d35996679d2e66854b2a1c0ac53663f6fbbad3b8081aad49e7ae1da75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
937c345ad959062c04f77994ce63d597

SHA1
7305382a6e865334331578e3cc055ebc45931422

SHA256
5fdd0081f3010db45e1b64ef91360f291af97b90eb8038c61e53b7ae187b6f4e

SHA512
44103f4f2a9cb52de708af0abda01560c455bf93879348e329e87e2f039c888ad375830819024efc250c9c59f8b854200ad9fc5b3befa4f902f4f0256ef825cc

Download Submit