Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
Resource
win10v2004-20241007-en
General
-
Target
7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
-
Size
2.6MB
-
MD5
04a1537d62800d2cba94e14ced5665f5
-
SHA1
02a4c88b2de8e63189b08950e4c9ba4a6f8b75b3
-
SHA256
9a31ec079f9330ff7ddf0422629886da291a0eb802c11a33099e00a5766221b1
-
SHA512
3f365007e6e73892140da601a659e2b42fa10daa60eb322bc972efab349bb0cdefd1b8c5134b62cf7546e25c0c3ee237e67ee71456d5dea4a5fb9ab3da7e60f3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSL:sxX7QnxrloE5dpUpvbQ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2716 locdevdob.exe 5000 devoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotC8\\devoptisys.exe" 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHD\\dobdevec.exe" 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe 2716 locdevdob.exe 2716 locdevdob.exe 5000 devoptisys.exe 5000 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 436 wrote to memory of 2716 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 87 PID 436 wrote to memory of 2716 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 87 PID 436 wrote to memory of 2716 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 87 PID 436 wrote to memory of 5000 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 88 PID 436 wrote to memory of 5000 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 88 PID 436 wrote to memory of 5000 436 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe"C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\UserDotC8\devoptisys.exeC:\UserDotC8\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5fd04578131df58619238f8d9c22eae9c
SHA1a0a05380bf81a6d836f1e2c93573406e4a015591
SHA256d7d32f28bbd01a33892dbe344de4f8d347b9443423999717cf04876ead366e71
SHA512fc4151bf77250d7d03f9633374482607277c63ee90fbafff73dcfe85b29a2550f8159033493912a9f419431b82642d01b826316dd18c36cd4264bb02e06d2d73
-
Filesize
2.6MB
MD5bc0ef9b484040b7bf13e130882371e55
SHA174a9aea8532f13f0a69cc27e157ffdbe927f8619
SHA2561d82534dafd5be101db76c87f5da57f9001178a43fc8898df555e3dc7e6e7d75
SHA51254d5caed5c3c2234d6550f658e8f774e33e49717773ed864a3b120290f5c94b1a315e8d6001ae1c869c9e74baacba51f3415ab42e85bf0ee8b89c8d2503ae5d5
-
Filesize
2.6MB
MD5dde42f4395c427ea045ec626621f5239
SHA1fb661c9b227dd3dd4a5d50658e664c91e81a27a2
SHA2565acfc66994452a6906101a05806fb81f208a4cfcc06dba4e897068c063b3515b
SHA5129062f343efd4de8b45edfa712f14b7029269e4ff86f3cc222ae6d19071503f417586e256283154f314eb6efc279bb6b48976cc808529238549c3cc8e0526e661
-
Filesize
209B
MD553ae2d5866a99f94ba2c2499b58c1c97
SHA1f3a50937c3f7bb00dff746615837d9811797f5a6
SHA2569221c7435a928caca93ba02a836aa3616db937580c17e0ed25e1e893478080d1
SHA51254baa5bdf7cada6d7938a6e760e555f31d9f39b2d63c6847c3fe8f84a495baf83ae3f4c79e52b8bba92c970e21c6325c91bcd1e8eed9b23fda868650376df122
-
Filesize
177B
MD565cc5579b175760661356e7ab82c32c8
SHA18c69575b2d89d647d8e2cf16f294d79fb26f6b77
SHA256964e6adc1d7442f6ddb6a5f8250cd9b76506649d9f904ea558d122529a0151a9
SHA512f167eadf32ca42318619abb66ef075415970074f1055278abc45905b3617e69097cc368b2800d5123e30cd270b7bcf8f23c5462272c54435e69f3c913e66b77c
-
Filesize
2.6MB
MD52d8b436587c21b5e8f3831df4a337627
SHA10aa02187ce93536ee60e88452a1e61fa437d7ad0
SHA2565e00fa980d16dc0fc41dfb708eaecfc2e648367a97caa6a4904b4ec957c9dbdc
SHA5126824fa52a90cffacf54943f9f728fd848859be5ffdb2cad0777c60c579f87d9100c796c1790e23689dd72890c980709bf7efd8ffe698a97bf120a2282c259146