93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
Size

2.6MB
MD5

366e73c620dc7a1118af7849d6636090
SHA1

c90bef0688b879c8fc08469634d52ecaac31acfa
SHA256

93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73
SHA512

d45cfbcff376b65e6fc452d22c50152a075c94b15ff827baaa82b818fde1e6f02e8f3006d31119a68269f9db46f4b6bc914336d29af0398be75db3a319ff8e10
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	locdevopti.exe
1896	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTA\\devoptiec.exe"	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV1\\optiaec.exe"	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe
2300	locdevopti.exe
1896	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2300	1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	31
PID 1996 wrote to memory of 2300	1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	31
PID 1996 wrote to memory of 2300	1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	31
PID 1996 wrote to memory of 2300	1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	31
PID 1996 wrote to memory of 1896	1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	32
PID 1996 wrote to memory of 1896	1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	32
PID 1996 wrote to memory of 1896	1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	32
PID 1996 wrote to memory of 1896	1996	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	32

C:\Users\Admin\AppData\Local\Temp\93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
"C:\Users\Admin\AppData\Local\Temp\93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\AdobeTA\devoptiec.exe
  C:\AdobeTA\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeTA\devoptiec.exe

Filesize
2.6MB

MD5
94571e03026b39d3fed74b5ac1079dd5

SHA1
2ff0a42190dd2c19cd800fb190f874692eaeb972

SHA256
eb91df4f3be1b77f94ee9483047a133303ef6c81d5f76483df4fc9ff3df04fed

SHA512
01f783496f1fd2c8ca81d05839bfca333d3e24301ab34560fc3a7a0b0d25bab1ad3d48bc3ac76b84bd1c2899da8a339bae1067cc1332e813f99666a32f7c4126

Download Submit
C:\GalaxV1\optiaec.exe

Filesize
2.6MB

MD5
e7974cbc4f9b8d5caeb4c9b655dd7ae7

SHA1
f3b56610f381ad132f8bcb3bde66d8c36d011043

SHA256
e58c1876ae3bb40f8c56055551e6dc26362d3ee6eab08597307b45d71ed5d47a

SHA512
684f83076fc320a316c01d2748a9538d0ebfcf097cea12e81feb50f75c33a10a86fe7a572c07074336b1c2ed401deef87b90e63f46e210ccd3e17d26c229617b

Download Submit
C:\GalaxV1\optiaec.exe

Filesize
2.6MB

MD5
c4de3c465b8908b50f53328915e30706

SHA1
e3dd285dd26e64782f2563962f773428aad79360

SHA256
aa2bdfdb3cac31acdcbaa35837d2ac776caa57a5c3dea0bc4e0b337ded6ac3e7

SHA512
40aff54d548b3412032190427abf5048ce2ba327afdd074149703cad7a076c2db9c54863e9be42c28c55a2ca4256545b5e3fad9c985bd70bd02eea3b72a393ae

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
22a8af77ce110d0ed73070e594e2a5ca

SHA1
0d73afc8ef9f1347a2b2ba30626b970f98cd6cd0

SHA256
b4ced702a5fa0fd1fd332f2d032d1052953a201b7b6efe5ff555cf68b7c2bce3

SHA512
096c3e7163074077e22fa85c5dd0fae2984d0239aa08ba1a3230f4a51407937b02ff87d202bd7618b2e2bc22786b1916493046dd63c54b2b76a287f6176fd281

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
f393e96808af28a82b7383cbdb3e47eb

SHA1
380a54b84116a7e737944152dec2fac97c8b1721

SHA256
85050a8fc399ca51cf992b95bd2a6a3fe757d27bd8726ce54a02904c8ae3ec06

SHA512
a6e4ac55eededff61f44cf1a30cd73953861ae03b144880f208db4989abe53cd9bb879cdb7feb21bc7cdaf67b72989a8920e37f6f977a47530024f7514db5363

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
e18f26036e178804d54a0ce7b29257bb

SHA1
648c62b7f88b616495fe2b5ea121bd6699dfec40

SHA256
4ca016af2cdb24f3deecbf894d8167698a8061eb4a820fad2e8f3602ef9fd562

SHA512
136025c6602a33e8faed335ddfc84c0094c2c04677a4ba1441518823c66acc7e794988100aeeeb49faf3e38816e80c24eff6bebfd7cbfc9033fef32c9b083de9

Download Submit