15effab62ee6634b924c59c34fda08925c8bc9ba7e27af6ae7b8dfec28080819

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f57618b6ae472801efb055af4a8ea00N.exe
Size

2.6MB
MD5

8f57618b6ae472801efb055af4a8ea00
SHA1

c68462d62859387e370f1c638e1183e765f660ea
SHA256

15effab62ee6634b924c59c34fda08925c8bc9ba7e27af6ae7b8dfec28080819
SHA512

0efc3685e4d66772a3d6068882e2927e17bc1d4526f6f346b107dbea59fa85ce2eac4254a4df2a0dcb4d0b4a4b0a1f5579f29a28aef029ebd353a28b21fa8e8a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpIb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	8f57618b6ae472801efb055af4a8ea00N.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	ecadob.exe
3116	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOY\\devoptiloc.exe"	8f57618b6ae472801efb055af4a8ea00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGD\\dobaloc.exe"	8f57618b6ae472801efb055af4a8ea00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f57618b6ae472801efb055af4a8ea00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	8f57618b6ae472801efb055af4a8ea00N.exe
4476	8f57618b6ae472801efb055af4a8ea00N.exe
4476	8f57618b6ae472801efb055af4a8ea00N.exe
4476	8f57618b6ae472801efb055af4a8ea00N.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe
2752	ecadob.exe
2752	ecadob.exe
3116	devoptiloc.exe
3116	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2752	4476	8f57618b6ae472801efb055af4a8ea00N.exe	88
PID 4476 wrote to memory of 2752	4476	8f57618b6ae472801efb055af4a8ea00N.exe	88
PID 4476 wrote to memory of 2752	4476	8f57618b6ae472801efb055af4a8ea00N.exe	88
PID 4476 wrote to memory of 3116	4476	8f57618b6ae472801efb055af4a8ea00N.exe	89
PID 4476 wrote to memory of 3116	4476	8f57618b6ae472801efb055af4a8ea00N.exe	89
PID 4476 wrote to memory of 3116	4476	8f57618b6ae472801efb055af4a8ea00N.exe	89

C:\Users\Admin\AppData\Local\Temp\8f57618b6ae472801efb055af4a8ea00N.exe
"C:\Users\Admin\AppData\Local\Temp\8f57618b6ae472801efb055af4a8ea00N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\SysDrvOY\devoptiloc.exe
  C:\SysDrvOY\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxGD\dobaloc.exe

Filesize
360KB

MD5
c5e82fbfa8d5ad5dba9bce72cc5ae162

SHA1
d40c34bfe2c921ceab103cd1b6c43ebd9bc7d486

SHA256
d695bab49333167668be1e8621dc1ca17832876e8a3cf909cbdd92558e705b27

SHA512
68cdb405ed02f45e85ce5dd572acc8a672cbb966dac3bd8b5805c32c962dc3a06794cca2e81ee38b2d72b606b1a8fb935330e1abbe4328c1139c9a32f6256629

Download Submit
C:\GalaxGD\dobaloc.exe

Filesize
15KB

MD5
10e6df3619bbbd1a2464d5000a56fbb5

SHA1
9080f324c059847c04fbc434d62d8ab2e06140a9

SHA256
e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

SHA512
9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

Download Submit
C:\SysDrvOY\devoptiloc.exe

Filesize
623KB

MD5
bf4b04f4b12143d6d641dbf685edb7b1

SHA1
32033385794c5fba84e0ea967a4416dc5922faa3

SHA256
2fcc3b1e2f9056e6937da1713b74ac1d56342bae22d592f8db0465a14331d0d4

SHA512
6d9fce4eca3685a919c435a0140b43e9948376c5ffe2df4ebe545aa875f54161a9e37414fa178c16c6320549e319ed3c5b59e58c83f538ca4f5ace0e1e74bd56

Download Submit
C:\SysDrvOY\devoptiloc.exe

Filesize
2.6MB

MD5
3348c02b00b17205dadbb906151cd453

SHA1
ce4f45bba0bae35e31a1eea9b6968fc547356ed6

SHA256
06d5e757a1dfd43cd7eab700eb5ad9f10e4108818aad4b14a50206d3b7a9e888

SHA512
3c795d74e66954f595b10882af3278f0e511a424bf6d2e11fbc45e0f72c0185652327bc3191d8331a7c5319c994f00671872ac09e36be0f3e5f55309ab3771dc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
df01066a5764d81c61bf68c499b3e71f

SHA1
b5fa03ce2cc4e54db01f60f0cbd1cb604d2ef654

SHA256
ebede10db995092baa009b0de44d98a63fd3cbaf32ba3b7a742c4207e1ae7b2f

SHA512
8a061243a4757018cf5d3078036f96392b6e65edaabecf23a258f9b3afd8b1210901328837ffb77ec197b32b5c0c0a7375636aa838045a10bfb9ba7e36ab654b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
b8a05e527e95d01834a8c99257bac3d0

SHA1
8c1489e2f6557fa8de714d0cebc6557426f5f111

SHA256
9aa08b1e2271249979feffa21514e0c24eda82ed1e1d39c93da8f6b75a9343cc

SHA512
568ebda83ba21593fe7194c0e8bdf0dc1900cf8c646b56d8a42b875ded18ad1c8b965a5abd60960fc13cafdd50f0b7fd94124a2557405a1ed4d0989f579f9a5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
8ad1987020670ee3f1e3da43897e1928

SHA1
2906881f813f72fe1eccc583dea1f17580fcdeab

SHA256
22e322773915f4666481e2615172a73d7701ff88e7ad6de68c1c428865fdc6fb

SHA512
989f3e2d488cca96a714d550d6816d27f7f5794ecb445c973893131289d0be5d080efb4ed03840ac28170069b4c7738fea3b287ea022892c6e4caa7817e7bf59

Download Submit