b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
Size

3.6MB
MD5

2fe1a070e5d629a464fb9e069afae6b2
SHA1

67b5892b75ff1d5d5108d4f37fc8d74557e30e6b
SHA256

b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc
SHA512

09ffbeca7f84f8d7b270a688deffceef2c713940a118a6e656c9560876d08ab7ed04890dd3664d0cc40eaa907113b94127897a1d7ba63251045d068b8da5ed53
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSqz8:sxX7QnxrloE5dpUpfbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe

Executes dropped EXE 2 IoCs

pid	Process
2216	locabod.exe
4552	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeBF\\devoptisys.exe"	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMG\\dobaloc.exe"	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe
2216	locabod.exe
2216	locabod.exe
4552	devoptisys.exe
4552	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 2216	3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	89
PID 3432 wrote to memory of 2216	3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	89
PID 3432 wrote to memory of 2216	3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	89
PID 3432 wrote to memory of 4552	3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	90
PID 3432 wrote to memory of 4552	3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	90
PID 3432 wrote to memory of 4552	3432	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	90

C:\Users\Admin\AppData\Local\Temp\b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
"C:\Users\Admin\AppData\Local\Temp\b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\AdobeBF\devoptisys.exe
  C:\AdobeBF\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeBF\devoptisys.exe

Filesize
3.6MB

MD5
d655e9b924d3374a69cafa22a012224d

SHA1
9dfcbd15cb5f97dbdce7e8a4b0f5e08f66e5385a

SHA256
be13ecd2703a4549215bf4d1fd171c02dbe59fc1288b67e9d49f62a97a712253

SHA512
c2e28a93490539170766e41149ddfd7d0ac9a72ba221df52ac07af3beef0743b7d9fd05015dac068d30eea275bdcaa7b614ba83d673ff3df9259a52eaf44d2af

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
7c8a7b6e56a432b333822ef5b0877293

SHA1
939e3b1a1343b196baaaa138072fd045943ddbfe

SHA256
b7909aa9fcdcd0cd59c617811074b2a31f313f65da037a148f1d00fbed9a59b1

SHA512
fe228a555bd02f25b73f39036baf26b066efa1ce3300debaff1bd2e90d1cd81ca85c3ba479dd623d4bbce179f32df0f7557093a4b0fd35efe9ae45733eb661cc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
97870e68bf85b4fb6d2b9ae07dddaeaf

SHA1
93adb0c44369dc880bffb49b2b3524937a17630c

SHA256
c4cb56206c887b51fa5d80892721c1a1ddcb4ccf597fa991496618365f022cba

SHA512
bc21decd5d31c496c288ce3c23b512240b6d2849fb3980f0171a474b66a4c2a4159ef19e4b65b750fab233ead70d3b76be8da02682ed91bed244a5b5e8e0ea89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.6MB

MD5
98c2c87ed67fc6f9a1551e5b14cc66d3

SHA1
78f1eca89aef1e8abee0b34288a014abaf4a7fb1

SHA256
6c9d73f7c44a827c661445985a2173adc4965a494244035553c1659258b0dbe1

SHA512
225ffd1ff3b8a4bbdc7bdd79f68f2b70e70e0a4d89458846d8a05a5910bad870dd831b5774e6b13f86527f65bc6db8635513e4df6532c9e3a78a85e78321c0c8

Download Submit
C:\VidMG\dobaloc.exe

Filesize
3.6MB

MD5
52e43c3c9f13c2a064b5a14b018610dc

SHA1
68fe535fc15251a753e4cccec0813dc4a65e6315

SHA256
e8d4fcbd6c0c244091bce874db3346842a3e4f865c9989b564e66fab7ed9dd99

SHA512
e3e6ea3b48c0e3c4b324d9b2ac8100e8632a3d2acd1af64eb96dfa442f838e9cd6e5728325e3def72c8dc829b71c83ede6167b8412a0a3f3ebc1110ebebde9fe

Download Submit
C:\VidMG\dobaloc.exe

Filesize
114KB

MD5
83139111c79303aa8f891905f45edf6a

SHA1
9a723fd4414f33bb05742008a9282a1436982042

SHA256
2fbe1b6a393c14d200191d36b1658595d03fd919084623c4bf88cc4febca0a42

SHA512
015db8167f0525da4626cb843385fb84dfa3bbb60280a89c062edb7fd6c5aa80ce3d92cf1a77ad516b1e0dd621debedf26ce484c3548aa9e3992da75b67770b2

Download Submit