Analysis
-
max time kernel
120s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
Resource
win10v2004-20241007-en
General
-
Target
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
-
Size
2.6MB
-
MD5
dba9dda9620788444587443054e95a30
-
SHA1
bc5d0c6ac4e052f310d2ad992dbd7bbc1b315e25
-
SHA256
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87
-
SHA512
4ecf4a0fa0cf2f5ffe7a82e1a5d433e10c9220aa917f0121d0b7f00e7c723cd6c1b0f3ff1ac4bfbfb95f3d5122b8eea0dd931106454b535b91a90317733eed07
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpjb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe -
Executes dropped EXE 2 IoCs
pid Process 2272 locdevopti.exe 2924 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8X\\devoptiec.exe" 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDE\\optiasys.exe" 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe 2272 locdevopti.exe 2924 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2272 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 30 PID 1364 wrote to memory of 2272 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 30 PID 1364 wrote to memory of 2272 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 30 PID 1364 wrote to memory of 2272 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 30 PID 1364 wrote to memory of 2924 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 31 PID 1364 wrote to memory of 2924 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 31 PID 1364 wrote to memory of 2924 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 31 PID 1364 wrote to memory of 2924 1364 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe"C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
C:\Adobe8X\devoptiec.exeC:\Adobe8X\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD551c42b71dbdd102b6c071bded352ce35
SHA1ca2bbfff6c1936cba038e9f60d858809cfd1f95a
SHA2560a18e8701445285d9cb63c2af91eea4159abc2a81973f9f671a2c30b4f07b4d7
SHA5127158a400f47516993acf59c3d8379a3750c050b11c806441fcd2647f07d537d053b8f9e7fd5d395267ef7adfc9cb462dec6554b88db746184508f7b37a705aba
-
Filesize
2.6MB
MD5837d4375d5debe21b2c3d756a97d396f
SHA1632cafb8c9abbdf93f3ba04eaeba18537ab35d01
SHA256532d5ac419654637f6aa51bf8721585c7a3d3643d6e13c9a857fd0b50abb0200
SHA512ca9aa2e5d2f4b64b654449c379c74dcc82376c4078ac17eea21abe017781ef260df0fd81906b033cf192e9945a12960cc6ead3a0481195ec1cbe2096e669d8c0
-
Filesize
48KB
MD533b389447d92d1d6bec3b0d88267fc38
SHA1136c5272702f019838d1e3ece0a088c73e5f0c30
SHA256f6ba336ee80d621061e4055bd48c36089dd5bcac3a01c98f0856c09232af5280
SHA512d37aa3d9152be5d420e46e26345ac7aca03aca84843ca0b9692ad41acf39829dd9c81857d06c1bbabf7ee892077e2c7ebcdf327329acb306f707f7bdf36de399
-
Filesize
174B
MD50446e30f3bbd128f37304029fddd94c8
SHA1620211050e2b98bc793101bced86e87ba9a46b45
SHA256de1351073e671b0b362264744b5b3333764bf76f57fb80a4efc20b3841758d90
SHA512bfa51e2491426af2f5f1d4ec6e942fcbf564193dce7074b0ba8f95c7e4b5117147663f799b69901b4d687707660b10cd5bbf9559dec89ffe485398d303001d64
-
Filesize
206B
MD51d8756993991439787dac2fb85d6bccc
SHA186a2779f17acd9c84dfee492fc2b8d23b900f8de
SHA25606261ad48b9b6d5bf37f85d9af2fcffec306d9582cf98bb5168678e82526852d
SHA512aac2ae7dc3819b2013de5e9362f30aa15d1b979aafe806a1faf0b714b1b16255a00bccac2b68915ef5bccce5bebaf77f0ef3d2524ba7b448916624a2bf17996c
-
Filesize
2.6MB
MD5bbc67fac15ad3fe8417c1012aea5d499
SHA1ffeab05931398705662dd79bd5590db0bfdde46b
SHA2563f3f431e9a74b9dd5538cfe19a99294d8029d08f734940f71f79f1bbe8393463
SHA512fc11fd215c8adff4e6a14842ce3ca0956b1eebdb586e848c07ada8abcb667a7dccf51f011a9e44a7a2cb74de1df53f2b9a024921412fe048db6695c403243807