bf85caf1ad972fed65bbc29ab85243f8dc0172792b5002e6fc8630abb71b1c8c

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db00276d6303371ff33d01daca3daf00N.exe
Size

2.6MB
MD5

db00276d6303371ff33d01daca3daf00
SHA1

04f3de19e7f96461bc5af303908cd0f7af4103bd
SHA256

bf85caf1ad972fed65bbc29ab85243f8dc0172792b5002e6fc8630abb71b1c8c
SHA512

e90ceaf4b44e82c88b07ce420f6135e72bc70e95772cdeee7262e7e9f75d7fdef3fe253117373e9c3a1e24a1ebd4a726363f437f74c8c2d552bbcd8f156691a1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpib

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	db00276d6303371ff33d01daca3daf00N.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	locxdob.exe
2716	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	db00276d6303371ff33d01daca3daf00N.exe
2264	db00276d6303371ff33d01daca3daf00N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP3\\boddevsys.exe"	db00276d6303371ff33d01daca3daf00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUX\\devoptiec.exe"	db00276d6303371ff33d01daca3daf00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db00276d6303371ff33d01daca3daf00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	db00276d6303371ff33d01daca3daf00N.exe
2264	db00276d6303371ff33d01daca3daf00N.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe
2712	locxdob.exe
2716	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2712	2264	db00276d6303371ff33d01daca3daf00N.exe	30
PID 2264 wrote to memory of 2712	2264	db00276d6303371ff33d01daca3daf00N.exe	30
PID 2264 wrote to memory of 2712	2264	db00276d6303371ff33d01daca3daf00N.exe	30
PID 2264 wrote to memory of 2712	2264	db00276d6303371ff33d01daca3daf00N.exe	30
PID 2264 wrote to memory of 2716	2264	db00276d6303371ff33d01daca3daf00N.exe	31
PID 2264 wrote to memory of 2716	2264	db00276d6303371ff33d01daca3daf00N.exe	31
PID 2264 wrote to memory of 2716	2264	db00276d6303371ff33d01daca3daf00N.exe	31
PID 2264 wrote to memory of 2716	2264	db00276d6303371ff33d01daca3daf00N.exe	31

C:\Users\Admin\AppData\Local\Temp\db00276d6303371ff33d01daca3daf00N.exe
"C:\Users\Admin\AppData\Local\Temp\db00276d6303371ff33d01daca3daf00N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\IntelprocUX\devoptiec.exe
  C:\IntelprocUX\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocUX\devoptiec.exe

Filesize
2.6MB

MD5
184d5cacac5ffc8b6821a03752240ddb

SHA1
1b00772d6f64eed0228e31dd31379158ea8615ec

SHA256
91a175cd661e87288dc5cb0e5ebcb772a0cde61ce151d416be9300c1fc5a1faa

SHA512
ec681a667cf175fd34107a9174cbaabc9c20376fb1652d46be228e6aa053ceb71a2b11b54afd5bbd539957384502c8a871ad4f51966202395ffe5fa111fda9d1

Download Submit
C:\MintP3\boddevsys.exe

Filesize
2.6MB

MD5
6f77040ade32e24dd4c4741cdd796368

SHA1
a7bd90922333b8c6e90eb8c9f58584afcca81fc1

SHA256
fab9bd1604437e781d638681a8257a32d8f8199b320ef2101852b3ec664d8725

SHA512
9686c25ad94557b515a0747278ddae5c7405e4610f71e1fd1121d368014657be383e31f33fdde2357ae9ce63263426cbb5e1580b5d97f43c28f3f79e173b8ca9

Download Submit
C:\MintP3\boddevsys.exe

Filesize
2.6MB

MD5
905ef59f8bf8356f35f2af21187f8c06

SHA1
0971624d8a6dcac738a47f63a72441ec536e5bfe

SHA256
65cdf3581aa9ed8de9c5f6971b7fe48bdf33aff3abd0e0f7f03bb3ea56d870fb

SHA512
1cda1bcc94b915f00d6e8e3121c29ac736518765399e13793cc570e254c2f5236cb39732e5cf10c94be8cd8873f000e41ea139defd6bec5b0d7ba9aef04871fc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
fb01b95f0f6721852ab47ff4601e1a13

SHA1
70dd92e96ceecfa36785a4d3b4735219c272566c

SHA256
7cc05cdcb37e5cf05d720b60beb64a0e5cebe9496331575b9b8e329d223fb1ff

SHA512
b428d0f9aa5b84bd89d9f172f903834269af55da6f4eae3002d9287d5fcebab60d9feb2c184e8cae0b604e084d049e138af603236e0f19783a03e0fccd4d6998

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
73c243d3f9de460907ca12dee75b9945

SHA1
2253bbc7f659bbb3d1ac65f990c484b69d424b19

SHA256
423e5bf9828fe83ce72ef88804d61c35048217033652e9afc002492a88cfe011

SHA512
a65a630a4dcfa75ef194579b7cf7146c7023cf274aabfa16ca93a9f408daa69ac3525283fdfb31e4cf84f0dd86a6e4afec5c4c62693f65b1f5c37bf346bb0747

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
03d65f578692063b10182c20d211b133

SHA1
fb95b2e69ff21daaa6ff2aa56319a7c08b684f49

SHA256
056cd702594f2d64c44c6d1fa9bef7c6a5033ca469ed7d0c566574b80b491c35

SHA512
94e3bb87946e66c6294cd0afd64d8dfed60459233c25eb813af1200dedf967c8a4e207e903c406ecb41514cd94d2bf707aea0d1a1a28a6dcdd31ad07e9ac7c57

Download Submit