5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 20:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
Size

2.6MB
MD5

1a168713d89de2e5c655f6a3d34439f8
SHA1

cf75c1a5e6a52687cf224c1f2940d1fc11502557
SHA256

5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a
SHA512

fcc0d7707728de34d8235aa569632f14e757aa270d7cb00218e74e790914160affdf66af5aba31763832a1f312757211b21c730e3d139b0e3fc1185ba4514a2b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUp4b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe

Executes dropped EXE 2 IoCs

pid	Process
2068	sysdevbod.exe
2992	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocS9\\devbodsys.exe"	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB63\\bodaec.exe"	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe
2068	sysdevbod.exe
2068	sysdevbod.exe
2992	devbodsys.exe
2992	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2068	3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	88
PID 3240 wrote to memory of 2068	3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	88
PID 3240 wrote to memory of 2068	3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	88
PID 3240 wrote to memory of 2992	3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	91
PID 3240 wrote to memory of 2992	3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	91
PID 3240 wrote to memory of 2992	3240	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	91

C:\Users\Admin\AppData\Local\Temp\5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
"C:\Users\Admin\AppData\Local\Temp\5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\IntelprocS9\devbodsys.exe
  C:\IntelprocS9\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocS9\devbodsys.exe

Filesize
1.0MB

MD5
9b7432701b58f393f2207a81132da650

SHA1
f108c1de07fee0c3e6b198940b440ef4a65496c9

SHA256
656dfcb8c9e4cad596a32e77f8e2b2671bc45d36538d465edb79c190be51f628

SHA512
a00bc66e4ca3dea3a063c7d294f602ceb74f68eba9abdbfc394633f2b5840a012ddd0245853ca7f6086d5110396081dfd122d49d5062a03e5674075f6d5e38f9

Download Submit
C:\IntelprocS9\devbodsys.exe

Filesize
2.6MB

MD5
767ab381962bb0cb92c4fd052dee8ec3

SHA1
b516821ed7494c34f88de867e4d03432d89227aa

SHA256
ca68b32cb182b69e854ec3c9afda073d58a5aedba5afac4d5b402a03410f2dad

SHA512
567876fcf07ebabcf353dd5c8b8995e16cace8d13b08a5f9981b485df3ee1c18dfde2b1d856fc07e5e581eadbf3e40a40b5c14fbff24845aec8608d9311f39e6

Download Submit
C:\KaVB63\bodaec.exe

Filesize
1.1MB

MD5
dbce66a2c885605875954f75555dcc15

SHA1
19b5e6879ff04babda6abb1c2ba2f8aeaa347d7d

SHA256
8e661dceb9cbc33d3b8a66fe5606501b24039d74f1093e26516b97750f89d0e1

SHA512
96aa2eaf4cc45e6f0388b864e0488efef28ea2df3a0cd45e9f9864f8aeedc8f18c05baf5fd83bd6e6ae47489c8a087646531decdc90665c66084c08b1e3ef42c

Download Submit
C:\KaVB63\bodaec.exe

Filesize
2.6MB

MD5
fd562090da360ae1650e82bdbe3409ff

SHA1
77b6f5f1f85a93de3f2942ae0157c8d38b88140d

SHA256
fa1c661f5e01649b674d5ce5070f7630527f1ec7625a8ed7c292821b980fb256

SHA512
745aac8d7a55a05cbd6e150d996685437914b7f3e3ee7f296ce0bb113752d9fb1ddc3c3fec693af72c02c8fffb165cfdd8360fb35d47cc8cabca0423d6559f1a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
62e7a49a9d78ec6e4ea25e382e53355d

SHA1
21fa6b8755c4331c2de2224cc2655aa755729052

SHA256
cb10b5adbbbf48e9e3df40f60942db2c8d4081a7ec434e4886b1ecb243c69250

SHA512
e8075c0d3ec839cec7d669763f7605037826977bc3646e59bd98d994462279740d33c55efd663e7a4f0523c293e488063009ec2a8fe507ddd2e29489d67fa2ec

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
2bfd40537dd808d36fc997f510c83636

SHA1
cf8814610220e8d4acfdb9937991c7dd71db2dfc

SHA256
7a542f3edb7660a7379b109cf1330f547d7d5ed9037457d60334fb7aeec7fbe5

SHA512
c1942e6e7c6a20569cfad98118b95aa3b3d2e9983a9888dfe8dd1925447ee80d244f5bc8b892c4a5ffeebcf6918ca0ee5f3f801904cded042ee3ff31fa97d6a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
ed454259f3e74dd77d94b5563bf30c86

SHA1
2a82fee570558c5cba9ba72a1306de80a2d5c5cc

SHA256
87557788a7b1bfd8e247fc5cbab4a00daae6f874674363a5341e1e65d21cf7d3

SHA512
d9fbb465fe15f436299f124652999b2846246c934d8ad00c375f857830d27c01be8b0a7871bde04bd251dee82308424c6c5973169f5fcd7998d77588a297e9e1

Download Submit