035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
Size

3.0MB
MD5

393a6da9775739cb73d93a30b26bc19e
SHA1

5f239870438730bf52b59cffc5122bbfc7df4ef5
SHA256

035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49
SHA512

4d8698de3473af07b27b70de8431378867ee738a1de77a5227f94e8bf7215c450493bc3adc47660796ee049490a00b6f3a7c01f6862a23c5baaec6b1b3730096
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUphbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe

Executes dropped EXE 2 IoCs

pid	Process
3576	locdevopti.exe
552	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files87\\devoptisys.exe"	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4L\\bodasys.exe"	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe
3576	locdevopti.exe
3576	locdevopti.exe
552	devoptisys.exe
552	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 3576	372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	90
PID 372 wrote to memory of 3576	372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	90
PID 372 wrote to memory of 3576	372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	90
PID 372 wrote to memory of 552	372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	91
PID 372 wrote to memory of 552	372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	91
PID 372 wrote to memory of 552	372	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	91

C:\Users\Admin\AppData\Local\Temp\035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
"C:\Users\Admin\AppData\Local\Temp\035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Files87\devoptisys.exe
  C:\Files87\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files87\devoptisys.exe

Filesize
3.0MB

MD5
4e132ea5a3cc80ae284d713420fa818d

SHA1
14dc76aecb07edd96a35aad6a4a5cdec91f7ef98

SHA256
7e12d385eecc19991cd7e93f9b66c5e21a88d2fd4bd29fe0e3345dfacc976519

SHA512
29d34357eb9e6da6e496b57bc6c404d6cd62f96b2d42f258910a4d3b93254826275771f345c59227bbd4c697f7ed0812073d5c5cae1cb04c22c436be975818a8

Download Submit
C:\LabZ4L\bodasys.exe

Filesize
3.0MB

MD5
eec038d1879a346f21a22d10c37acb14

SHA1
c3596ea2c01e362c0a31be0f16c9feaac75ae182

SHA256
a5b349a5278b67baacf3183a31312171c4b3b90ba8681bad4d3116d91b1c0d55

SHA512
51670cf2736547b14edf0c3d6752c554d8e13ce4e05a71ebc0df9e7d77ab7310fd663d7d2455cfd84c195f0e84bb0f7f3883e1a1d57df1207ae73e3fe4ed02a3

Download Submit
C:\LabZ4L\bodasys.exe

Filesize
3.0MB

MD5
fdb0e8ccdc8f4fab38b3addcf3ba6f97

SHA1
5cde6121ac274139f57402e5e435f370b2108bbb

SHA256
55761ae010439829c9c74a0de50aa6d4d58dcb4f47f46373e88979da0b2ae19c

SHA512
90bf4c76c4c8bdb5bac17a94172bf472522159d681f49473b38b20737325ffe269b8d5a302b5dd1645f7ef88dba7a0fd194bba0c87447aedbec51a5369f6943f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
ec9143629dfa9c8b4cdf685dbd762f56

SHA1
814fbd1af645c112ac769c9d486bf5610828bd70

SHA256
b0b75e6106677309aadde27939657556e0faecd8c5e9d1c90115328e05349b89

SHA512
16c47e16515d0f33c3ba29ce089681ca711891ef057c168804959a0360a6989008d7092653a2dd178e475a9760f0d0fef7073de21ef24ad889cd46309e929fe6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
07d4e49be1f6d1c0c23bd016605df425

SHA1
d2e0338a5b5e54e5b710c9131cc26ecbf84e98f0

SHA256
e2b05cf162df88bf3564ae3bbf67ecdca9e487da13d99a0ac73bf1c43bb22855

SHA512
9828e9402381e2741a33abd68a35b676aa9c48453b9ad8f9527ecfd352634111e6aa8ce9f7b5fd24c1de987038edc32123dbccdd139a18cb26c961b37b1146a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.0MB

MD5
6330ba65c84fde8a40dd372542ba702a

SHA1
d9318693665f2f0f84e41fb91406ee71c35588bc

SHA256
b8c991fec5af83490d3a658c4318fe13bdea738acd77bf09be4e3a8e93ab2c5c

SHA512
4d91cbc5289209bf020d640542318a2bb597622876dd4a3fec242f261ab7057aaaf7d5a4d277543a5690bdb36fd7a95e39aed16f49f497f5133fdfaa0d0eb04f

Download Submit