Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe
Resource
win10v2004-20241007-en
General
-
Target
1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe
-
Size
2.6MB
-
MD5
0ac1a0efc1023e6cecc0c6c6dde40980
-
SHA1
a0ad2ae3a452ad35b8ddf2708260cb0af99da89f
-
SHA256
1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ec
-
SHA512
c918a55040ff23b428814f621d774d3698c2cb2e66922bb7f79f7744d3c60717dd69e260189a48dade85b7dcbdf2ee1ce164baf0da96b82296573d72238e9cc5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSq:sxX7QnxrloE5dpUpWbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe -
Executes dropped EXE 2 IoCs
pid Process 2820 sysdevdob.exe 2312 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4Z\\devoptisys.exe" 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIH\\optidevec.exe" 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe 2820 sysdevdob.exe 2312 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2820 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 31 PID 1804 wrote to memory of 2820 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 31 PID 1804 wrote to memory of 2820 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 31 PID 1804 wrote to memory of 2820 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 31 PID 1804 wrote to memory of 2312 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 32 PID 1804 wrote to memory of 2312 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 32 PID 1804 wrote to memory of 2312 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 32 PID 1804 wrote to memory of 2312 1804 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe"C:\Users\Admin\AppData\Local\Temp\1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
-
C:\Intelproc4Z\devoptisys.exeC:\Intelproc4Z\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD520ec6effd447fb35f7db816f8c616148
SHA1c8c9edd9f30b93dc161fc035c69b57e7af305dce
SHA25643b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7
SHA5126a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf
-
Filesize
14KB
MD5eea4aa3d13cff294fb9de101050d3b95
SHA18be9253d0215e54c585f56eadb2280278a3ef3fa
SHA2564bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5
SHA5128793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44
-
Filesize
2.6MB
MD5ecc3915515f928e30912302b17832044
SHA1f1e5d95c8ae6cb3531a7ba46790fa3d9370bef9f
SHA256649450368f2695fad404dc4a0a6624d6c52af78ab765340f5f0e3863b2383236
SHA5122d0c094aea38c2b856fe06a2995645c9bb55ca7159ee48000c1dae69381235cfb9053789174175f6566d37465063899c9ed1e47514be81f540568c2eeffd0dac
-
Filesize
180B
MD5dca88425f12c54b4d61bcebd9574e85f
SHA1e84eb30683b7a5a301be9ed38ffee31a8fd5cd15
SHA256001d8ccb50643d0abe0fdbd38ecf5973b621a6d5621c60257608e2292ecf1629
SHA512a8b917856f9ac1c084c56291d7f8387f9a4c14218f53c59a4d13a2a59506615a457defda299413a3d9b86161a875ef79070ddffb52d65b9dfdb0555bc0059e4c
-
Filesize
212B
MD5c0cffe81e84f4aed80dd57202a7b94cd
SHA1d48fa008b2c75643eea72c2d7e553bb82a91787b
SHA256a155c92f74d70898d2fea00cc6d6c43037643879e7d77347c3ff48eb8aa1cb0d
SHA5129faab45f910cb29df24339d520cd27248f8a3335ec495f4b285b1549cd9271ee3670df84aabbe4ab9e179a365bf8568eb3b8e58943949e37cba9faa6df905f53
-
Filesize
2.6MB
MD5b3f7bc59cd7d27688a2187825dc9ab91
SHA1be291266944fe5bde91bb6eb2de75fd60774d2a4
SHA25612d2e4491a844e28d43751e9e691a5bfeae0b62fe75423f227cbe3fcbec90eaf
SHA5123456cf28fb87e284141bf581bff0e1bb8a3a17a64580c7d85dc51aa34160f47598dd39dc0ac3e9466d8fce2e20f3813120a391fae786998ae3b2a1d1d374e129