a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Size

3.1MB
MD5

7721667d876a9fe1a5f9bd5ee6342df1
SHA1

c84f9363a8269d588a0da33557b5cb144b4eb5e7
SHA256

a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe
SHA512

c21cef79d5afe19a88b27b72f25ce5a0046295d70071c69018145d1bd29fd77ee9192fd1d7a4d594ab691418838f6e75124ae22c5e378b5396179a17cc28b62b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpQbVz8eLFc

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe

Executes dropped EXE 2 IoCs

pid	Process
2548	locadob.exe
3536	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7N\\devoptiec.exe"	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintB5\\boddevloc.exe"	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe
2548	locadob.exe
2548	locadob.exe
3536	devoptiec.exe
3536	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2548	1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	87
PID 1368 wrote to memory of 2548	1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	87
PID 1368 wrote to memory of 2548	1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	87
PID 1368 wrote to memory of 3536	1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	88
PID 1368 wrote to memory of 3536	1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	88
PID 1368 wrote to memory of 3536	1368	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	88

C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
"C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Adobe7N\devoptiec.exe
  C:\Adobe7N\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7N\devoptiec.exe

Filesize
3.1MB

MD5
f7266427e140815c936f70a6620f5333

SHA1
814af187044bfadaa44c1cb05e18b972051a3b11

SHA256
d57c08cf47fdcd784c5e0bc7621b249e705373182974487f819e663056a07f17

SHA512
bdd891da73d269c1a6c237d1a94caf00657ded53d104a6d1e66dc6236b82cbb9d2b7828c5903e58c32f6dfc86e451973f177d12f70f98120896a93efb0572158

Download Submit
C:\MintB5\boddevloc.exe

Filesize
2.6MB

MD5
f438c123d330d85ef91a9a4cc6b9fe6f

SHA1
83072fdd3171fbea99c6f0ef4cf147209b41474f

SHA256
93e00f87b8cde7d41bde53df279a31ce66ba9e1af9bd3cdd51ac6a8d9d41c59f

SHA512
783b711bf110fea595edf34ea2237c6846f4900f6a4aba244f344ced87abeb9cf9fd09f208db87cd0bb02db72836d5176d6a0cd0abb720b5b171a8a20a8a253b

Download Submit
C:\MintB5\boddevloc.exe

Filesize
490KB

MD5
fb5311422811def5e79be3e520a6f083

SHA1
067b5ed58c4859b0f3b69ad711248ed52581e1c5

SHA256
c8e8e8a7f0581b69b48e85889ade33ee2755d6642e3cc210e656ffaf71a44b21

SHA512
c74a000c137e2fca26b590b28b49bd4675c5e71569b4f9b38948e5e086d7c51039dffd9d1e7ebb5a3ee745cf4df8c257c826cfadfbb691656509a8bcc50ce562

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
7fc68bd738e328a9da929787fc496cea

SHA1
831d901eab7d60e835774f5d9e39b5347d76850a

SHA256
64635bb9554859413199babda6c49f6fdaaaa15e34de8ef24110cd754547c773

SHA512
37dde0af530d5b3455477881d8519df98795b54a91f5a76ba633da2f77b7746ee77073053f2581285fc93d13883a917eeaf5e820ca9354b10863d67287b9bd3c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
dbd4c8d333a1ba85ae526079631f4a90

SHA1
864e0e7252029a2ef65c668679ae51ce61b03445

SHA256
a610a0dfea223ad15d1a7a633c37a209586491371b9e34f3fc50410db87ab12e

SHA512
a9ad673fa86891a912825e0c01ee798c8dfafcc598582becba0756e49ea20dd939303b050be96b0c36ceb067984c1a8bdc7364649fcb04bedb49ee42bee42c45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.1MB

MD5
e84fed5585be4ce71c068d564fa32704

SHA1
8fad870191d68b9b4f59fc522c9d3b0505fb2536

SHA256
b33d3bb42e8451c4960bbde1e5f02246084f3b640f3662b1f192969e896a2d9c

SHA512
0bcc9420edf8f2fa860c4a45d1329cdb1f093f3bbb887149439d03cc4f7128c8b57a6b9b8d36662251155bfc0d9fa25281fd03c41208f1ebc4e376330ea383b1

Download Submit