178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe
Size

2.6MB
MD5

403ff8a4d3292e19a5ebd03f062d2602
SHA1

4f6f825636492e66ecd25b779c0a5d5dc1e2f089
SHA256

178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240
SHA512

84eb63f10c7d73f677a077fd9169ab56cc173c15bdc2351e786e1528681d23429039fffe69ceb4ebfb5a663b387d4f01e5e67394f229f3213de74d43ce87d613
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUp+b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe

Executes dropped EXE 2 IoCs

pid	Process
4164	ecdevdob.exe
5040	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMK\\devoptiloc.exe"	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxON\\optidevsys.exe"	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe
2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe
2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe
2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe
4164	ecdevdob.exe
4164	ecdevdob.exe
5040	devoptiloc.exe
5040	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 4164	2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe	86
PID 2608 wrote to memory of 4164	2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe	86
PID 2608 wrote to memory of 4164	2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe	86
PID 2608 wrote to memory of 5040	2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe	87
PID 2608 wrote to memory of 5040	2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe	87
PID 2608 wrote to memory of 5040	2608	178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe	87

C:\Users\Admin\AppData\Local\Temp\178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe
"C:\Users\Admin\AppData\Local\Temp\178783e3d8efecb9063a7d332234e8ab5f4e37fedf62bd1dcedc3d965af70240.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\UserDotMK\devoptiloc.exe
  C:\UserDotMK\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxON\optidevsys.exe

Filesize
10KB

MD5
a86336805b3d53c18600c251ef3cfa32

SHA1
69594cfc6347aa438b9319dfca41704cf4607aa6

SHA256
8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5

SHA512
2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93

Download Submit
C:\GalaxON\optidevsys.exe

Filesize
2.6MB

MD5
acfcd5c6d97f5a154332faaf5a52e01e

SHA1
477f60e45cc5a3245625e0abd95f94d6381433d8

SHA256
e7ff5113f76e5a3505d13da212bd4dd04e75d472b0cfcf82088b20454e1ba987

SHA512
0bb50199ceedfa233cecfbc69e730487b8356a09eb7d7de67a716a6a1e4b6f9d5b66fd9c6cc86eba72ab4b94ecb54fa73da733f48ae750653d4af006ba448d10

Download Submit
C:\UserDotMK\devoptiloc.exe

Filesize
2.6MB

MD5
c79c43c29a2ae4976c8f587d9ca38082

SHA1
d49cd3c41b955698dca196fdeb4eca1af19de969

SHA256
5636cc74e6e4e4a7bb56dc8cc92b30a290409cbf7a17e595e45c0bbc1e7b5244

SHA512
f93424b37f18cb2dcbd388ceabb36a9b55870b7f705040fb68c756d5d4a983cd3ac1f5da1b0bf5a33ab463e0f48d033723b1193827f1f3539c1c561a0956149a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
210B

MD5
ffc9da89eb91bfec82edca7fae905de5

SHA1
c871bdf64bf62ed31f6fc2a1b1a998671fdcb7b4

SHA256
f460e4e93b2b27567470679c0c6844747e779225ec41cc7ea6ce4d58718a0383

SHA512
14ca2cacd970190578cf5712ab12c384e278f24ebce32d9c3b0e7776b48b044a7fb3e9fc69312880acde75a4e9bd4e41919ca0f8b9b4e2b9d33519b172243de9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
178B

MD5
ec68446588441964230f57c1107f540a

SHA1
4b059f65d9e977604db76e40a1a9960a06b8fc1b

SHA256
cf266b0e060e6f013bd6369a1f246181e7dd38f708692b1ec8f5df98cb0f8368

SHA512
74d3f4612e29e0b785ad64be979ecaf04c3c0b4c698cb8100691cae1c51554c1a8b2fa9e39107435440ecb315a3b13813c6879769984b6179075208b141c48c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
8313562e887c3fdfca7833fec1356227

SHA1
ddca8f314b98e2176e2fe2aa7b25bfd9e858ca54

SHA256
70b0c35d73c9f8c0a49ad82ac287eccc10703b6c7731c55e82ba4e029befa95d

SHA512
fa311bf71787c4eb2bb5e6a980f81501dc32ebafe1a9a37e767c7c66a2134d6e81bd3e1f930ce0c8ee86b2015cbf6cc9dd5c49b7efe46064b94a73b73f815ec2

Download Submit