53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe
Size

2.6MB
MD5

280c423cdd148f050c1546f754afd450
SHA1

60b150f8efdd69e8b5c63cc63000e0f3fbf51e23
SHA256

53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8
SHA512

12bd97f19c50de3c28e590674e3ca18807c03b15c402f3c5635fd8d248594e3d6c3b3064594b12874b53cd423ca94ec63bfac771b5c8caf02d9d9f1ce6016ad3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpIb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe

Executes dropped EXE 2 IoCs

pid	Process
516	locdevdob.exe
4460	devdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesS8\\devdobsys.exe"	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXO\\optixec.exe"	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe
2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe
2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe
2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe
516	locdevdob.exe
516	locdevdob.exe
4460	devdobsys.exe
4460	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 516	2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe	86
PID 2276 wrote to memory of 516	2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe	86
PID 2276 wrote to memory of 516	2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe	86
PID 2276 wrote to memory of 4460	2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe	89
PID 2276 wrote to memory of 4460	2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe	89
PID 2276 wrote to memory of 4460	2276	53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe	89

C:\Users\Admin\AppData\Local\Temp\53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe
"C:\Users\Admin\AppData\Local\Temp\53679fa145966da511a477da350a0ea3869a87917075becdbbca8766aaf7a0f8N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:516
- C:\FilesS8\devdobsys.exe
  C:\FilesS8\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesS8\devdobsys.exe

Filesize
2.6MB

MD5
cbf8e208977e14a287be1d67d6dee8a6

SHA1
0ede991531206c4eedd5d3406f73d5b4b5ebb393

SHA256
105b902640566a948be43c311bdec6ae7e6e9400a4e05e974e5b762d9d9ac9d7

SHA512
7e42598c9254c1e127cb8c157e5fc544cce4abb3c041af9b0559eb98a9ea90ee2bd61bebbc7cca8380e8dc11431d3b9344a660fa7958e13996f2ad9530bbe9fb

Download Submit
C:\GalaxXO\optixec.exe

Filesize
2.6MB

MD5
4ea42fa459b0834d81517f93b05e460f

SHA1
08df437005d87a2c122e7842427aa83ce5435d0d

SHA256
6d94bf5b883280ca6da5c5c554d633bc4c97ee2b16fefdebcde6f45ce83e3625

SHA512
b02708faddcac6c56336fc6cc50ba933bacaf626c15be4fe1debdae5aa251090ea441b993a40dad5b7ba2672739ab47f7090079b36a8785858e208e59f3f9c1a

Download Submit
C:\GalaxXO\optixec.exe

Filesize
2.6MB

MD5
1ebc86c6f4845d065209f5c746e84983

SHA1
501b2edb3b5d8d1b2deb317cb2d217c1cba290b8

SHA256
105fa7b06b088f62f5a5c340cd21a1b3d8ae3ad068955db2686f0f8369ac437b

SHA512
d5adb65a71009aa3c93f6e07914b76ce8dcb865c68c287a01a72f1fb617bcf6f247a5b3ad43878164c0ffe187ecaff46406af02d9a6c40fae10e95ea16887ea1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
200ea02341ddfc84ba615ece8d5174c0

SHA1
fc8d3f0dc0a9bc70f876832fc7ad03903a6f80f0

SHA256
9ce654dbca6bcf99f4ce4a50dfa2c70bde35ac30f215e905fb842cc6476543dc

SHA512
01d9f41aaae02ca16b4788d1f3988ecb9084af8392855463c5d7f796b4a5446748001fc633b9c8df644a444a99e16273fc07bfbe0ab365fb44bf294efb3e5c65

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
796a1c5535b887fcdac0c0197c66a01a

SHA1
7311427595e5162d089cf541aac63a8f60a5bbc8

SHA256
f9c81a9201186ca7a8b3af008a93b82073d9d2aaf562d0cae0db1ba8943c88c7

SHA512
40eeef94467cda85469affe823de578e38681edd82cdfa8484e35c92ccd7d1b16bd739d550559203f5395029392ce9e54864c43239d02d55d239c0eb5c3ff576

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
713c133eaec6e2e4e0923b08e0456eb6

SHA1
7c9e821a995099c89497d85bbb26afe9039e3973

SHA256
f0cebac562ebda2759f3ce1864aacdf80cf5a1902cdc718f4b84165fb753c45f

SHA512
f41b761de732aa12dc9961ab6edc2b63c30504ac330ec1bf98972e6d859cb0f3a2a220e7bd40a303b863addd7b5eb42c33c55bc15e383ff1620d54dcc840e547

Download Submit