a8d31e246e4ca8663cf6ac09c1f9d8f58995cf3d75b3eca4033ed26c3dedbf20

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e36a833cf32d2be157847987c717020N.exe
Size

2.6MB
MD5

9e36a833cf32d2be157847987c717020
SHA1

465f661d7d1630fb1f6d34d4f394dcfab99e3a95
SHA256

a8d31e246e4ca8663cf6ac09c1f9d8f58995cf3d75b3eca4033ed26c3dedbf20
SHA512

caa9650fa7d746805c64ad022523d3b70e4b134cc0bbd58574623f49e89c8fc8bc52f2beba443db624b12ca74358ee15f69edec5c019d1c2291db5c67df211d9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSq:sxX7QnxrloE5dpUpVbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	9e36a833cf32d2be157847987c717020N.exe

Executes dropped EXE 2 IoCs

pid	Process
4388	ecdevbod.exe
220	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGK\\optiasys.exe"	9e36a833cf32d2be157847987c717020N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotG5\\devdobec.exe"	9e36a833cf32d2be157847987c717020N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e36a833cf32d2be157847987c717020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	9e36a833cf32d2be157847987c717020N.exe
1924	9e36a833cf32d2be157847987c717020N.exe
1924	9e36a833cf32d2be157847987c717020N.exe
1924	9e36a833cf32d2be157847987c717020N.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe
4388	ecdevbod.exe
4388	ecdevbod.exe
220	devdobec.exe
220	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 4388	1924	9e36a833cf32d2be157847987c717020N.exe	89
PID 1924 wrote to memory of 4388	1924	9e36a833cf32d2be157847987c717020N.exe	89
PID 1924 wrote to memory of 4388	1924	9e36a833cf32d2be157847987c717020N.exe	89
PID 1924 wrote to memory of 220	1924	9e36a833cf32d2be157847987c717020N.exe	92
PID 1924 wrote to memory of 220	1924	9e36a833cf32d2be157847987c717020N.exe	92
PID 1924 wrote to memory of 220	1924	9e36a833cf32d2be157847987c717020N.exe	92

C:\Users\Admin\AppData\Local\Temp\9e36a833cf32d2be157847987c717020N.exe
"C:\Users\Admin\AppData\Local\Temp\9e36a833cf32d2be157847987c717020N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\UserDotG5\devdobec.exe
  C:\UserDotG5\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintGK\optiasys.exe

Filesize
210KB

MD5
626725aeb991113ff9372f926ab9270d

SHA1
ad410547f5eaf81e0be7f6f306a995f62678e861

SHA256
93f37642b301baeb13185164331eebac50d543081411fbd7467e9b33073cb895

SHA512
474d7434481c1f6369e346cd78ae670d41fbd963ce453329e7a3963e2b4eeb6a53777333469d2c17472d5331d923966d9b394a13940d3317c062d3c3ecac76b4

Download Submit
C:\MintGK\optiasys.exe

Filesize
912KB

MD5
ef7f48683836563c85d4175bc5a5ab7a

SHA1
d4874858d591c4d0f5468f6a6da368e626383f58

SHA256
bd3efb0a28b76b88d85e2a68e2517daceb552f739fb238e0fb50d8696f129ba9

SHA512
1e805f3751029398dfb4073eb226631641e9f73e21347da0eb6d292fb1ddf1671b79074214b937b962c1c47a9a1acafc9a9debb04be389f579a98b62a28ef2e0

Download Submit
C:\UserDotG5\devdobec.exe

Filesize
744KB

MD5
04d43634621c881887bed9dfcc69d75b

SHA1
fcb2cf8895a0d077a555a313d707fe4cec43844e

SHA256
76534082a7aa1d5263b4abd204dd285d7ef99b6c99ca67abfd1928aa2c8519c8

SHA512
8e208ea3fdbb7019ae8257b04c9bbf75053b6430fe7d4bb5c438b503e0ca8f44ef171cde017a84a7e7fd3aec8a122aa4986a22d912ab0fc5d6dc40490b147130

Download Submit
C:\UserDotG5\devdobec.exe

Filesize
2.6MB

MD5
d72ef64861f65f8bbd28427179fe8598

SHA1
f46ca9625cf8c861302943f6f38c7f48009fc52b

SHA256
ecdd1b003ddc2e0f35840bab991f7b0a45b3677b3c5578cd8b06de3875fe7523

SHA512
e06f3649f78f80dcfc2e212c320b718c411ce3f71adff4c12223410ff8d9e17be5a9d160ea4e849c4261c8fdf3db76cd4ef45e7cbc55f6677b65e45955d35389

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
033e2f7a3d4a76965273699b6cc8f7c0

SHA1
7710575bb43afb00d85b203af514fdf612b99816

SHA256
e4a748798120cff6c2a348bbae6d19d76f417a2e4b58ea1864941e963dc0aa40

SHA512
0d5e38008447b60304ec0c7802fe33fefc27892eed02e5e5084b0b7682760589992e6a0c20b902ce69ed6e7f08a9289144f963d9b03325c2611b389c0ce55f3b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
2d071a01bb0beb7db89c8e5ef1fa5f7e

SHA1
69991260fc6894e7ecb1134fa8fd8df8f4d4179c

SHA256
28e418569b26af75b2275a86a0674e0e694e589e429ab22a591334780dbcb311

SHA512
a5bcf4dfa3f7cfbc7b1c03f96e94a854a0b6ebe2bea6d24709d89d54836d4ae86d92b609aadf06b1a01babfb1c7bfa1e9eb96cc02e983c913be8242004b560c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
3fe966aa42f7a3966bd8ef220996c55a

SHA1
745f46c44b4b076b7476ea4ef428f7a62a75b4aa

SHA256
38560d96310f28a88f5c7ba35a0c7ccc7707b2cd8f3f46392e92df770d1b8484

SHA512
ff8978e4d97c45a476c6e7066bebd63e4f2e41e38e9da24f3b93830478a680b1e4f063db1c48952ebd6b24f1204c5bef54935ac5695266c14216830afffa3521

Download Submit