edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
Size

2.6MB
MD5

3905ee18c2f3156cfe49911d5a9ff6ad
SHA1

c067bb6a1d36ace10117da5517fae2d2b8fe52cf
SHA256

edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c
SHA512

72fe3647963db4ab9b3cb29ac1c522133e28f0e95c75bf2aec6c3bcfbda053438c4dfe7d9e4a2d5957c96146c6cda71d8b09c3827423b648322b74b503dc3faa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq:sxX7QnxrloE5dpUpAbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	locdevdob.exe
1620	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe95\\xoptisys.exe"	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOO\\dobdevsys.exe"	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe
2660	locdevdob.exe
1620	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2660	2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	30
PID 2156 wrote to memory of 2660	2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	30
PID 2156 wrote to memory of 2660	2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	30
PID 2156 wrote to memory of 2660	2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	30
PID 2156 wrote to memory of 1620	2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	31
PID 2156 wrote to memory of 1620	2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	31
PID 2156 wrote to memory of 1620	2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	31
PID 2156 wrote to memory of 1620	2156	edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe	31

C:\Users\Admin\AppData\Local\Temp\edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe
"C:\Users\Admin\AppData\Local\Temp\edd89bbd72f7956bb35d298fb8cfc70f6db40077d2952a4239e917fa6a64bc4c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Adobe95\xoptisys.exe
  C:\Adobe95\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe95\xoptisys.exe

Filesize
2.6MB

MD5
0fd674ad923b7a538684a2a5c1cb6916

SHA1
3881772e6f4e0e92eefbf136f474a5cbb204ea41

SHA256
09f2180747f1ea4c7702971a7c39a6ae9d9aa826013f4c270138a4e16583505f

SHA512
4ffa5a7805f23f0847d814033e06713a4ddc40553fb72d931a99f054b2fece665612a15d26260629c17e3a5e043f23e51ecff7dc004c1035347804b0a0a631b0

Download Submit
C:\MintOO\dobdevsys.exe

Filesize
2.6MB

MD5
e85ff25b6e76c125b20bf0b1c24a3c34

SHA1
7d812ec1608730117b4a8c4b9f4d5c6b6f83f742

SHA256
0c5851c7e27d9f4d1298bda3e751754bd1e08defb40e585ab063283ac03077dc

SHA512
49f146e379c7713847f8973bda70474a67848fa140f2b749c3b5c5f4b02969b1fa822b646524c868992fce39af92356e2226e2bb9877de027e87a45a0b46ecd8

Download Submit
C:\MintOO\dobdevsys.exe

Filesize
2.6MB

MD5
0ced5e492541c9c5a94fae14e11e500d

SHA1
e654dabfc96255e17509192338f86348b95e4ed1

SHA256
a26ea8efb6f2c81adc620170694ffae17627ed63c73497377aa3f35d4d391d1c

SHA512
acf979eb4e4091768d8bee79501285680125fcda8c4c09ae4248e98fa90416cc0af8483c0cc746fa824b8509e86cdb21922bb8797b71acb0706789ccca8bddb4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
3e1450b1048426d32e771923016e5ffb

SHA1
aa20f81fff064324e673c494454a7982910e8fbb

SHA256
922baf7688313b16152da152210ca4af34fe0c1103e9ce0471a1437ca5f8ceb6

SHA512
b48faed2f8e3a9eed6895a0554cb6edf3339768245c40d00127effad371efd6c590fb1e1d04a793bf14143d4343a5b4c5a6cc36c1b5093cfe82e69b9d621b313

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
f3aaf0a03ba214b54b18d2a1ef3fc95c

SHA1
081b768096f849a3d98bbd3ebd3f25663826858d

SHA256
bbc13ee12029d47f33c359fe3b54b2ec9a4b66b2ffa761b9e66c5bfdbd78881c

SHA512
b27d2f7d60c9c41e26f3129fa574f21e939f1d915ae85f2e050efbd9973a8141cb7c8023ede1bf1587a31a44e6828519a864d30d2436d6bd5968babde54e5d54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
2d796a1ebab6305ba38456c92089cf48

SHA1
9e3602e7a4815fda0b1181ec47761545c4312dbb

SHA256
77c3a3d5f0bdb5f72271924538c57790c15b5f2f32424af709ffce7d49ad265d

SHA512
f6ad47ea0ec022817bb6e1d1186fac0558f9ed2ec0d3d19669da15f8629ac758ebe2cde2d48909a651bbef0a4b6f1ff6ebf9b57a883b0752a297ad3361c75296

Download Submit