dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cce

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
Size

970KB
MD5

317c6ab25574d7f469a47590c8d5eb40
SHA1

ff4c7e89fc8e4e91921e68d0e26ce64d8e0984ad
SHA256

dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cce
SHA512

26d0bf9aee001cd20c7342fb1dd1ca8487e64767cae83d82a0847710f8818adb902d13d07dead1e2202c2d76ad96d524bc30813aadbe12403cb19ad92c966481
SSDEEP

24576:RV5fin1sAT4v8U0bue7mRl7muSHDpjKJRl1BwF81Ws:DZ6ue7gNHSjpjK3LBd

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	locdevopti.exe
2176	devbodec.exe

Loads dropped DLL 4 IoCs

pid	Process
2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFS\\dobdevsys.exe"	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWS\\devbodec.exe"	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe
2176	devbodec.exe
2896	locdevopti.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2896	2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	31
PID 2196 wrote to memory of 2896	2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	31
PID 2196 wrote to memory of 2896	2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	31
PID 2196 wrote to memory of 2896	2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	31
PID 2196 wrote to memory of 2176	2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	32
PID 2196 wrote to memory of 2176	2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	32
PID 2196 wrote to memory of 2176	2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	32
PID 2196 wrote to memory of 2176	2196	dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe	32

C:\Users\Admin\AppData\Local\Temp\dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
"C:\Users\Admin\AppData\Local\Temp\dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\FilesWS\devbodec.exe
  "C:\FilesWS\devbodec.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZFS\dobdevsys.exe

Filesize
970KB

MD5
722fee1ef62a64fe498e02757a27b895

SHA1
cd686d1e5359616ccd826929bdf02244bd7b3c01

SHA256
fedfcb82db9762ffacd653fef3faf3c7ce91f3157f77c76eaf19ca23113ec229

SHA512
2cfff52165f9be13b30afd7f08f5f543bcb9a93dc58ccb7090e904a2e84b404fac69aa4978ee21a08956009ed4276f1c430ac291c97b4040d094cd9f8d07281c

Download Submit
C:\LabZFS\dobdevsys.exe

Filesize
970KB

MD5
059b354b53ca3d1c8912cce74f5118ad

SHA1
78c675246de747e217081af1e0d2b845d00a2ae5

SHA256
f64475794c4b128a2a2f38d153dd3948bdc5ea6e55dc6b0fa22c019eb4bdb786

SHA512
9613d0af954aca3f1d3a8fb8cbff9a310d2c975e1e1dd56d661206f704bbc64d2a82b326858e9f91e1ce45fc19443ffb6a7be32832a4841f6437fbdddbd4d160

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
8f1486f7ff11cbccd0a014d837e6abdf

SHA1
a16982e4b5f6dd6c8b83ed8874d634795c73a9a7

SHA256
1476695505ea8b18d39bf9d9528e166c3a08c03402ff4978c390cdeebd441c57

SHA512
2c16ad74b4dec2a6a015eef37302ec6a59262f2a05ac8e4414f59edef0efd26792941e36ce5ef9e35b60de40e0467434386f16cfb37fb6d267911124a4f91aeb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
36cdf98bcbf12892be28869e152f63cd

SHA1
4300cc8271991fa96dac5a2803faefb2356ecc80

SHA256
02c7e83e17ab38a48c381bbc63872c2513b88cf1e83896eebd9be17184aa5129

SHA512
64bcbe46d08ee81e41c0372473a2df6f1c661ef869a02e1fb36921374f5e565cea08d6c09f655794bd345d6620c844c50d9fe56b2984c0ff97615376a9847c0c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
233B

MD5
0140f614018c1feb65549d3118afeca0

SHA1
cc4c47df4f4065f0fe1226c7f2233801730965a5

SHA256
7eef94cc6f006b810cf6504edffe2b8b195d916f9efde98daa5881dc6b6c3941

SHA512
e7019812cc5580f7a925e0dff482e4c5867c9bcba8993171145e60e42a92627223e003614b794433d0ee68a12e1781818cc76294a167c104b6415361addd2d8c

Download Submit
C:\Users\Admin\email.dan

Filesize
46KB

MD5
42e85f2562782d8e1a168c006dd93e38

SHA1
f25e50544590366e8dbd0830102873d5cc8b53b4

SHA256
e2eac24e16659f24019a1af1ad52476d7c60ae3e081ec53704aac6e0c6031059

SHA512
81d7467d1b675f160e0406da36efabb747329a71c4e4228bcbd816def2f452240436509125eb654ddde7e37b4d894393218cf7aa7607fa5313d4c7f0fa3add5e

Download Submit
\FilesWS\devbodec.exe

Filesize
970KB

MD5
3d3b3e47ce142fc43ae03ff3a302b762

SHA1
b30ac878f0e4338144ee494a771f83d6d58aafbf

SHA256
2f533cfdb69f04f1383f6ef3b4438009ae53af047e5e7f5b6dd3eaf810d18c94

SHA512
2e04902a57cf6aa9b82a5413bde81c900c00846e308397c213c8b24812f395075be40bca532ad86de2aa1c3a0e0d4802054f0200011c4630d374b6d622c63f73

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
970KB

MD5
121413f3db4f9c5df5e3b90f8544dada

SHA1
f8b299c9dbf8313687438cda30c46420d66b45a3

SHA256
c0e6b7586d5001cb98a25064aad496734adcc4ffb5e31cb5c87b21718be23f0b

SHA512
14b013282554f1f5fcf31688f41aa3db78c5c6ff89c15f9f9c9a83175d9be9f1c8fe43d83ef5eb1cfa7e731b8ab6ccfbb2d43784fd49f559d4caf3d4b06e7b9f

Download Submit