Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe
Resource
win10v2004-20241007-en
General
-
Target
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe
-
Size
2.6MB
-
MD5
50131cfca770ed812e92c84b28025510
-
SHA1
5faffb16ba57b2d99cd86f771a55c25a178138d1
-
SHA256
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9
-
SHA512
8eaf537e83ab7f5e2cc2b29ee70a1e89fc1434a9891bfbfbf18012ba81dfdac607e2eba686c0eb08a222c37e8499a854716046baab8a8fff953eb6e8100cef65
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSq:sxX7QnxrloE5dpUpBbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevdob.exedevoptisys.exepid Process 4652 ecdevdob.exe 1676 devoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3G\\devoptisys.exe" 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidES\\dobxloc.exe" 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
devoptisys.exe254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exeecdevdob.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exeecdevdob.exedevoptisys.exepid Process 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe 4652 ecdevdob.exe 4652 ecdevdob.exe 1676 devoptisys.exe 1676 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exedescription pid Process procid_target PID 720 wrote to memory of 4652 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 89 PID 720 wrote to memory of 4652 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 89 PID 720 wrote to memory of 4652 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 89 PID 720 wrote to memory of 1676 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 91 PID 720 wrote to memory of 1676 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 91 PID 720 wrote to memory of 1676 720 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe"C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
C:\SysDrv3G\devoptisys.exeC:\SysDrv3G\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD51b8d209a916e4df2fabae7e6b4223451
SHA16d758c0f47189b7d688f68541c37ff6fca29206b
SHA25631ebae1d8b321f0ae14fe7992d34db5fe42bdcff10ac94c3839b9aac763ada33
SHA512e0ad7920904f937435f7ab5591f8fbabffef62a9e8b01dff5c2176ca1b8d513b6c054e72b9807fb52f83331d4203d226f13b1fe046bc2517988207d96a70fee1
-
Filesize
204B
MD5c4792cf4c53acdcaa73b6ac606d92ade
SHA1ec561364b2b1d4a897d73716037f10040969b0db
SHA25618e2bd71f1147b028774719b10a0a8b6cdaf1140134beca8ee88dd1022a03d20
SHA512602c36eab0b4bb650b76081343acfaddbff8cf63def9285c22c3e446e39320852b33b90f1967a53bd5678f25636b21f352c2cd37b08490b7f3a9cb88331e073e
-
Filesize
172B
MD58bdf6ba25702a210b0b19a780077487a
SHA1c78564a68da3ec3b4ea85435bbd897771691f5cf
SHA2567d41e0c7b065a768070663c920f57850694ed5e5c30ee6359aa785ce0efe32bc
SHA512b49183bc4ab81b5b4b0c56d70f2c71d7901b9d72593ec61a372db181fd47d4aa62f583f3233cc245d4f26d24a55a8f0a2fca8614ddaec13091cfa243523c143a
-
Filesize
2.6MB
MD58ea25827e6f6ba00f55fc145c35332bf
SHA1c2e639323fa5e7f9b044d43e8e4b91cda4c9af9f
SHA256eb6a33d33364fff6df9265287726eacd001211b6881fb5f951ab120db0eec391
SHA51201c21d46f846d96d0f2dc13252c224d385ab9464319696b434d0e32e7fa8b830a87568a2d049cf44a5b0a5ce07211ca1c8d87bf2edd8147e611e0a929d760fd0
-
Filesize
14KB
MD59262cab29eba6c8ec58cf55dd510774f
SHA19c109088d1dc40745dede1654950cf3c14a07d0e
SHA256e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945
SHA5122241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004
-
Filesize
2.6MB
MD54dbea43aa7eddd1d9b9d39a8073e13ef
SHA1a0e2a404da25eec1c2ea91bcdae2087a7f29755b
SHA2560ce075e00ccef6294dddfed236962290424044a716afdc3741e495774d96d5e2
SHA5126b3d2842a4e4433414e0aa91dadd58cf3ce95e3e21041d63c152a603c16fb1c7494c33a707e9091dfb349fdb8ec071ac1fc1f9e7cf20d901b81da49fbca825c3