1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe
Size

2.6MB
MD5

c002a687ab674c6e1cea63d741a88c8e
SHA1

7f09e4fc9fb86972fe33ce660dc0d2372b741b75
SHA256

1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e
SHA512

5ce8fe82acc7ead717b691c0ef653673752f327a03cb4c256cded20c5592a9abb673d08f42057e09793c05dc2299f27b1b58f1337a77d768adca7334f1672e6b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSy:sxX7QnxrloE5dpUpobV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe

Executes dropped EXE 2 IoCs

pid	Process
1980	locdevdob.exe
1888	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe
2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesY8\\devoptiec.exe"	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYM\\dobdevec.exe"	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe
2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe
1980	locdevdob.exe
1888	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1980	2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe	30
PID 2056 wrote to memory of 1980	2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe	30
PID 2056 wrote to memory of 1980	2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe	30
PID 2056 wrote to memory of 1980	2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe	30
PID 2056 wrote to memory of 1888	2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe	31
PID 2056 wrote to memory of 1888	2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe	31
PID 2056 wrote to memory of 1888	2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe	31
PID 2056 wrote to memory of 1888	2056	1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe	31

C:\Users\Admin\AppData\Local\Temp\1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe
"C:\Users\Admin\AppData\Local\Temp\1a9c5a8bac567ea1475fc96e3268bafd28674f0bb31eb8cfbab5e43bb00e0a0e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\FilesY8\devoptiec.exe
  C:\FilesY8\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesY8\devoptiec.exe

Filesize
2.6MB

MD5
e6127b064e6792d1485474dae2388b50

SHA1
2a5cce17860b9a26e30a178ad58b13d051140b3a

SHA256
a0942e3cf671f87113c4e37ba4c5cf267294a2105b679eed0bc34181103ab31e

SHA512
3d34547e1870eb4ba206507735b443ff06854c35ce71b37598e26476869ef81cb76487b50393737eace4e9431afb632c31bc6623056a599a074921b7fe68e2d5

Download Submit
C:\GalaxYM\dobdevec.exe

Filesize
2.6MB

MD5
09e76b15f91c64fa9d0e84f4d7a76d5b

SHA1
ea79fd28d36482289e97e39da3bd4e9e16b8d0b1

SHA256
768f56af113b2d6ce817d08805620403504a8a0d7ad3b050914200da3082318e

SHA512
aaba2d4edd3929b6e989276858a3a0b41e5d2ffa1343cb5262e8c6bb63ba815842abcb4530a9095b0dbc429103545fe87684bf09d683ed5f9a36326d7aadde5c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
484043274bad65e44dc114e96c0b7291

SHA1
afb6a6dfa7d3c30bb42866d964d54026fe519edc

SHA256
d785cd57011b08ea36c8383d13d6e24d2587e603012ed5f005e34970567afd64

SHA512
7f27079282cf3b4fba7686bf9d123b1599c15a3faa4bcd2a5e507de89e851a5c569137e857a1082e9e4863aa4131c599b99c8aa91e937d1048617abb55f7a841

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
87d85cd7515895a2795638adfe8a3a93

SHA1
ddc1d9a52646423cc7a4d61d9d3d808e5a031538

SHA256
a0064e7d684e0408f0338fbba4c95bd8178cfd3409fc019932ee08cb8f83c0c8

SHA512
05872fdc5a8079f264fdf96e4c429a64ccc248cc519d4fd62acd29b8c515b587dd9d96a852fc461d0f5a4ab3b1e33d9ec14626e593eca59656b6a07a24ddb56a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
f616df4aaefb23420a2fc776d748adde

SHA1
6b237b8186925a82a1c7805735295fd617160c69

SHA256
f1163dac6be33ad0ea26959d1260c0a59eaa1040607dd262a7904bbceb3ccba7

SHA512
0eb4219ca069275420dc438ac9940298e8a8aa87bbe4606efc1f08d7b6005a71d7d0a60860b927f333429941386cdb2117b60fa748930a59d1567d63d9137f30

Download Submit