afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebb

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe
Size

2.6MB
MD5

3739e4335fc8d0ec1f8e355e633d4a80
SHA1

ea59fbd08bd9cca5e639f31e2530e715c955e2cd
SHA256

afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebb
SHA512

cd6cb64f1ee3daeb74290b7052f576e0ee188c2e3845447bdb4f05c00fbf88b5f7533031b143acc8e0a5ab93760e1add4fbb4e9a30b11d9afbc6fdf619297475
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bS:sxX7QnxrloE5dpUprb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe

Executes dropped EXE 2 IoCs

pid	Process
2072	locdevopti.exe
2844	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe
3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocU4\\devoptisys.exe"	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5M\\dobasys.exe"	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe
3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe
2072	locdevopti.exe
2844	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2072	3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe	30
PID 3044 wrote to memory of 2072	3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe	30
PID 3044 wrote to memory of 2072	3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe	30
PID 3044 wrote to memory of 2072	3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe	30
PID 3044 wrote to memory of 2844	3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe	31
PID 3044 wrote to memory of 2844	3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe	31
PID 3044 wrote to memory of 2844	3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe	31
PID 3044 wrote to memory of 2844	3044	afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe	31

C:\Users\Admin\AppData\Local\Temp\afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe
"C:\Users\Admin\AppData\Local\Temp\afee5e614e014f69fdcb1c45740f5a4260ae25bdb25ce530380541077c209ebbN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\IntelprocU4\devoptisys.exe
  C:\IntelprocU4\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax5M\dobasys.exe

Filesize
2.6MB

MD5
19e3a7398fcb980105186642963d7885

SHA1
97faa870798b0a61e8cc3f17b8f2e333d368efd2

SHA256
48f03c5d6c80e4c481e23e784ed473255d629eed938c189b0e4e57e3257090eb

SHA512
86cef9abaa5b171674ab3cd3018ac0e6ea4513ac649f40953e09384f85eb3198ab61895908466337bc0946349921f213c4826395cf7edbaa1292f6cd5f87b555

Download Submit
C:\Galax5M\dobasys.exe

Filesize
2.6MB

MD5
75d1040276cf99095cff173777914596

SHA1
2abc7a3b9d35116ccff7bf2061fb62baac9d9daf

SHA256
518b1ec2dec249a0f6cd5ded301085a737cc146152e74cc75849aeba6bd22940

SHA512
29578c691b568e2399b75c9976478eac5e60572fcd6c17864516b2f7944328f44017988fbbd4b2dea1904ab01beee12b359366c2b26d737b1ce0385b5c8015d1

Download Submit
C:\IntelprocU4\devoptisys.exe

Filesize
2.6MB

MD5
013077915946bed37151bbdda3802ab9

SHA1
a3cb0c994009b2e8ef66445e1c28ee1aa94265d8

SHA256
fec9b3af43fbb62667bf15c153921e7fe19226f925c777577516f68263584ba6

SHA512
c85b56c125eb1cc02ff62e3c92e98c18d0a4ea3058f7dbe5bfd6290de0f12a07234316f8533e8c95390cb38651a875eca48cb9df5356b41b12d9e23530c3cfac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
179B

MD5
6dd97af28e08f2dbec52fd8b3bc18217

SHA1
4a63b745e8edc1773080523a4f4ab8ca199fdd70

SHA256
3c28c460bfe8f05165f9480e45258f156b3fc58e6c83350ceacd81769da14438

SHA512
92d9c4c304e333117fb964c79f91807529e152675653d8889b824e1d8677b25534a70c7627c61f512f160dc1ac7186cd6aabe15c0a7696eb3f9f75dc72532858

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
211B

MD5
00ebbe00f861fb6390a8e39ce2f0b2ec

SHA1
21fb815e0fdbfc75f0b0f1f461f3825390503dda

SHA256
40de02cc8172190db2b7b574536f8858e99709986b1a4c66178f36761fe31a6f

SHA512
ff0cd87ef790d0c8c9ac19819c3e9ea1cc51daffad12ffcb25ca300ec15a058484b95821bde3ee72d7500fb272d5563bfd3bbebdff0c48beb2f1b7ebe8bac677

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
d03786505e01f523198cd5fbbb0dca82

SHA1
c0105ccc5d8297183053930fe457d71c9cca1b31

SHA256
8d179bba9e552020eaeca908de065ecc832d4aae4e88879f2390cb45f013264a

SHA512
debf1e271c3e5c3dd13363e397b0592390ee4c41180d1bf3c491fb4fa2934ebefb3b713117c6d9f11312f734dcc4d5366e8f8a66db59638f321eba9c1f49d7d3

Download Submit