f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
Size

2.6MB
MD5

a37a4fe8457103d4e56baa5f929ca4b9
SHA1

ffa5598357454bb21adf25042afd2e245735df63
SHA256

f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46
SHA512

3911485d0cd63a27562e84e97af79a146076f70e0da33fabc7715e117949ed561736746715b0cfa21b2ce9b906d1bf628fe49db8a498a0acad62fde56a050c91
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe

Executes dropped EXE 2 IoCs

pid	Process
3412	ecdevbod.exe
112	devoptiloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKD\\devoptiloc.exe"	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAV\\optialoc.exe"	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe
3412	ecdevbod.exe
3412	ecdevbod.exe
112	devoptiloc.exe
112	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 3412	3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	86
PID 3132 wrote to memory of 3412	3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	86
PID 3132 wrote to memory of 3412	3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	86
PID 3132 wrote to memory of 112	3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	87
PID 3132 wrote to memory of 112	3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	87
PID 3132 wrote to memory of 112	3132	f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe	87

C:\Users\Admin\AppData\Local\Temp\f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
"C:\Users\Admin\AppData\Local\Temp\f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3412
- C:\FilesKD\devoptiloc.exe
  C:\FilesKD\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKD\devoptiloc.exe

Filesize
2.6MB

MD5
a4c9a5ec0a8d24f3f52c14ed1e84db99

SHA1
9c9a42a52867101c5bfd2e581cb0cd46d9978e65

SHA256
3b9fe1d814504cb1fa0be7aa5f8f35f3ff63e568887e53a29bd4f5d30df87cb3

SHA512
c8e09eb0a745e4fff78dc982f1a348c8a4def10a08a32d7056306175f3fc277f3ae2a3215d306ef33767e5ab60cc991c21cf1d2723da255f63a5b6e86deb9122

Download Submit
C:\LabZAV\optialoc.exe

Filesize
997KB

MD5
8a69c5cee071ab813dd13ccf46eee492

SHA1
183cbeff384d2f200087ac81514bdd76ed10ae3e

SHA256
5d23601d7c070ff03e00b6281a4279fa2618eeac0c1613b72498335e4cf958d7

SHA512
72599db04102c5529bc149b5d3c20add6969df5c59e1d6ad216651dbda3622ea1f5d197b158023fd25c6f0d4efdacf84c0ab7b99246bf1d23c24db390faf3666

Download Submit
C:\LabZAV\optialoc.exe

Filesize
388KB

MD5
819aac3b24b945cfab4821e239d56081

SHA1
7a6aed11e2e732622ea60e0d968287bb78111b20

SHA256
63a225e8123941b8770207d28bb429442d1e699a7de86ec2706dbd0322881519

SHA512
f584e60a946b3463868dc1647dc517fc826012e6b538317ebc03c06f60c9c49eef428ad2d81cba7f2ea43fdf3785125cac899e44d814735b6998403ea9f4bfc7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
cd21c21f5ee8cd49ffdceede3da230c7

SHA1
1b75e75f29e2f4504c29eaa646927843bc746668

SHA256
83ddd8cc64bbc347aaec3611d690b5cef9087dc67ac6390ba0378258b463d522

SHA512
24581c711b2dee7bb2209cd3972db1f6d910c8410da3f2653f857cd256838cb93c635a39de044ff4f8671bbbbe846dbae4fd2e327f4648ed0d78ecaf634b14a6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
be894c3d86ca9901e1ee17427357ccd6

SHA1
cfb3d8814850e6eb1963721c65e90944d51387c0

SHA256
e882145fc6db4f0a0c0fc30d274f910ce04d40250e62d9bee5587e5356b38b15

SHA512
49f475a168fe17ba82b2b73ff84ca2651852ebf8ebd85ce4e0676360dab8ea32342dc6c0a9efc55e63e489d50ef657d35b742eaf8c2b8ee8223e9d759d5273b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
05de1d353c665f47662471c2e1178cf5

SHA1
a87469251dbf7c0df9719e31feeb2105a38ac29d

SHA256
a28bb1d59a1d0beda6f4c47b0001b1dc1e85c98a739b8aa50798390bccec98bd

SHA512
14e8f014a1b447118475aee92b894a03e42f8093974ed44452ff76eebe02d5600c7b0c8559c8fd4a2c2ef1e3cb165a1df849722f87d2140d9147db04b8e2206d

Download Submit