Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
Resource
win10v2004-20241007-en
General
-
Target
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
-
Size
2.6MB
-
MD5
7b919496c5c7313e14132f0f81ad2830
-
SHA1
89071682b1c40fad2fc93e56ab79a90707152c79
-
SHA256
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76
-
SHA512
d5a4109ba24d3847dc8b07dc58afe3c3414df9e83ab27633ef3c0fb0ef5f38c8f6c901f83033394e12fe8071644162ba7db8b038d8f6d54a54fcf10cd485f0d3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUphbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe -
Executes dropped EXE 2 IoCs
pid Process 2200 locdevopti.exe 2832 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4B\\devoptisys.exe" 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQF\\optidevloc.exe" 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe 2200 locdevopti.exe 2832 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2200 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 30 PID 2256 wrote to memory of 2200 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 30 PID 2256 wrote to memory of 2200 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 30 PID 2256 wrote to memory of 2200 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 30 PID 2256 wrote to memory of 2832 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 31 PID 2256 wrote to memory of 2832 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 31 PID 2256 wrote to memory of 2832 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 31 PID 2256 wrote to memory of 2832 2256 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe"C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
-
C:\Adobe4B\devoptisys.exeC:\Adobe4B\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52cbcc659805b4bd4e167c5642dd3890c
SHA1bca80e25e485488a8e7b0c30f433bd68492c7ca6
SHA2562f1a2e9e0cca8c62adcd4c4540b5c6cbb4c002b95cd8fbaa29caacd8a1ad65e6
SHA512ed8f7d33d3292a3428d111d579e52271ed0fe3bfea91b4500dc616d8df8ff8d4c9ce6152ba7be9970e3b8b9af40c5b83298bf62bfee63405fdb288a1bcf67147
-
Filesize
2.6MB
MD52efad654c784e155f9d74c0d729a595e
SHA148ed7760ee8e3a708d5a4a7a1ebc6ecf134653e8
SHA256296ce4a021773c1935e79b94b411ef7245e0bbf11ee323f82cc9de6e96beb08e
SHA512169a2bad5011031bffd7011ff3681ba11323c2c93e4d0924d4529f2e6bcd70dd4e7724491c882fd416e77d10d83c8d3bbdf6109f8b3bd168a280caed3c993f03
-
Filesize
2.6MB
MD5384801dcbc39a50ca4365294b2804fbc
SHA1c8573917ff92ea5c0ed974b05a6d8ab5e8c8a957
SHA256b0260705ef6b760718751071a41b19c2535daf4279b663008d141739ac21990d
SHA5127a173656c3884cd85e3ce2da0811fb42c549531af6d70fd4b328076c3e08c4b6caa7d7ac19e882c139418c56b1c07d35367c3ad0686bd1831f419152670bdbd4
-
Filesize
178B
MD5a59372e5223fef88832a9f2e239e9918
SHA1ebdfdfd57153aa68c236a69819fc7003835ff093
SHA25605e03bf3f3072ad2c0ebd7b32b2cd1baf905f50becef61f10ac8ffab92200352
SHA5129f695fbfb619a3312b9590327fe926c7674ebba3efab1bb2c7f2b5cb2a894e4ff976568fd5b52cfeb6a2b3f0e6ad01c3a7b9ca47f29d109d33fa7a777adcd49b
-
Filesize
210B
MD5422eca694fe480ab695db9bc9aa0e206
SHA18d551359f5a9b355f67524754463c155531a3ca5
SHA256b8ccebadaeae7789abd667117e20c054724d087a330c0d4d719546b1aa5b01df
SHA512fa5e91dbc0f297773a2863d2de470919978ae0e25292a363c4164924d77177a85d609675c54acc62adc822a06db33ef201f7c69d476b1a053f20a51955f04ccb
-
Filesize
2.6MB
MD518fc7c1916a9ee63df9a8fc5de41da6a
SHA14a4e4341d73e6bfd51e3b22e0ce8b1c552682c05
SHA256be3e37ef27f0da6150f11c098eec6d6bed7f8e0a99362d09cd714519c4b221f6
SHA512c90216a1715ea0cb9ae75661cc62ea31e25a249712d0daec2d2f70b500ba51727ff1162f201ea6708882fdcd27485cbaa025ef00fee8fd5e5403787e1931858f