0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
Size

2.6MB
MD5

bd49b46ba24fc504eaa1d96739c009e0
SHA1

701764bbec0e3cd74b1c025fd497c3476077f382
SHA256

0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1
SHA512

5f70f5ba4d83149211c0e670720707e841c6ef9a91957d65173e05e1e812758c4e7debb9d166eebc2cd94ed8a5a169bff8091c06dfa403a6a0f11d9dd2ba9e44
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe

Executes dropped EXE 2 IoCs

pid	Process
3800	sysdevopti.exe
3500	devoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBW\\devoptiloc.exe"	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxD9\\optidevsys.exe"	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe
3800	sysdevopti.exe
3800	sysdevopti.exe
3500	devoptiloc.exe
3500	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 3800	4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	86
PID 4172 wrote to memory of 3800	4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	86
PID 4172 wrote to memory of 3800	4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	86
PID 4172 wrote to memory of 3500	4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	87
PID 4172 wrote to memory of 3500	4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	87
PID 4172 wrote to memory of 3500	4172	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	87

C:\Users\Admin\AppData\Local\Temp\0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
"C:\Users\Admin\AppData\Local\Temp\0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- C:\UserDotBW\devoptiloc.exe
  C:\UserDotBW\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxD9\optidevsys.exe

Filesize
380KB

MD5
a7cc740a430934da04eb3f571c7a7cbd

SHA1
fdeae034da43207075d42f4a951cc97226bb86a5

SHA256
4de236c80eabd7946d61b52b416a00e992b4c2a42adb8677ee7dde52ef6405a4

SHA512
4aa9c4081ddd749cdd515b11b97ea5f43783da85cbd44112e452455e150e4cced9f9e8a5d7bf009ab634978861ef82f6376e5f5c991436c9f9dcf37c0d3c37f5

Download Submit
C:\GalaxD9\optidevsys.exe

Filesize
2.6MB

MD5
7e705ced0d9357cc86f15d634421ecaf

SHA1
31638b5b55161b47004c6a583b98d0804e062b76

SHA256
bd0f8fc1cf7588ab5f531e36cd7b70191c6b48cd711e7de993b4a0cca34c2dcb

SHA512
d28c9d6f434f1f8e3e630beeffbda0feefe7df0f5b3d30de1439ac196fca8899503e2456d11500f7b2f065abf03d2c549d7f6bcc0966944e7af38b70d608c07e

Download Submit
C:\UserDotBW\devoptiloc.exe

Filesize
177KB

MD5
305ae6bd1e14b9d5fe4529c9526cbcd2

SHA1
b27f323de9d7187f2f0404748582a0d8f7355b5b

SHA256
af339106aa6e197389800858c1a2c7adaa21e0c29bec7a43fdf7ff2d1f37be2b

SHA512
3c90a35ed844019bda1da1ed31320e7d55b697b6ae27c17efa0fd74e8a1daaf38cdc8bd9416008326a363cecc1ee076f0ad7f64310a574b656b418058ef3e3bf

Download Submit
C:\UserDotBW\devoptiloc.exe

Filesize
2.6MB

MD5
14681211e8077f75047beb5e49e6c8f8

SHA1
6342748a494ae5c1595aa182ebd2f276b036f253

SHA256
ddc0b7c216473601767528ca243a3331399a0b1003408e6f1d13cdb5afa9ef26

SHA512
d2b6cdfb0924bb663bd88f6f7f429cb36dc00a74c4922cae6054cb8199a5775397e05a8de117b66c76abe6ef285cffb69937ae90bcbb2a737aac089dfdede16e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
212B

MD5
c57474348e8f6b85a392b7dc240857a1

SHA1
7895f59f9b3d4e6438c2ebcdae23cc969904983f

SHA256
c950905b3b8d409c9baf6ecb4bb571212055cb5817af551a71818084d54637ce

SHA512
c84615ff05f771006fcf5896917e24e4e56d6bfde34441c2db59b34e7589256c5ed947f1414ab64ebf26a3b84a45cdd86a186c29b965270e9b48cb17b7b3b4a6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
180B

MD5
17809bdce7c926b9996e2cd159c50a4d

SHA1
bf1eb5c2b27bb53353c1be647d8e59d66d2a2c88

SHA256
7c68c73df98ed731f6c122f830de863319e0f3ccc23f8bad5079f7423b8e0a96

SHA512
30f52ad4d78beaa168a316534e73d8288c5e02012a1543b0489124a81876994e2490f249251965d4ddcb3de577c8bab1c0909cfba20bc0db75ad5687e0e93292

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
04f02dc69ce51c51a5adcfa292367fff

SHA1
d73f6dceb83225054a0a239bef426f40ee244e47

SHA256
3de80a8ec2c30e979a9b60cedd881ea4225aad6744a4ce1970502a569766083a

SHA512
bed8794e1cf3ece43fef7428ab5d35a6931fa2b4c7fa481add2c0ca2016f6a61b0d041d5bdd0cd88f1106db60608040414fc16dcb5424dcb10b04f570f7ba4aa

Download Submit