38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe
Size

4.0MB
MD5

f3ef4aae8524b29016bc1f9ab18be990
SHA1

b7689fba3bd2c5e4f48e8b2f2cfe6ee96362984b
SHA256

38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb
SHA512

da947d4a6a28ceb0744fa102e2b6f4bad518f75e2420da8621030cfad12804a7a58839b404b71e8ea18f3fa914dae81c6fe11783796b5b545b1605cc24f78690
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpXbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	locdevdob.exe
2752	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPN\\devbodloc.exe"	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQ2\\optiasys.exe"	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe
2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe
2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe
2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe
2808	locdevdob.exe
2808	locdevdob.exe
2752	devbodloc.exe
2752	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2808	2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe	89
PID 2832 wrote to memory of 2808	2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe	89
PID 2832 wrote to memory of 2808	2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe	89
PID 2832 wrote to memory of 2752	2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe	90
PID 2832 wrote to memory of 2752	2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe	90
PID 2832 wrote to memory of 2752	2832	38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe	90

C:\Users\Admin\AppData\Local\Temp\38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe
"C:\Users\Admin\AppData\Local\Temp\38495540ec25c6b42b58517e487a8f8296b5db1a381a8ecc0e091bbdd96f61bb.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\FilesPN\devbodloc.exe
  C:\FilesPN\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesPN\devbodloc.exe

Filesize
4.0MB

MD5
c7e06cd288137aeae1df3fea28afabba

SHA1
138c2661c5cf33f23c9a4abc0d6ef9439028a786

SHA256
ee0652afeef276af557b84f8c7aefdb098d9c1cac9e0c29ee56d866bfdc38da4

SHA512
f840f2f5bd0f16cc10aabc2e72610d0366eea953393e1856789288940c344cdea38f35974b5974d98c865df607d5bc24425dbceb17d3b5cd2e3f25e60d5c0cd8

Download Submit
C:\GalaxQ2\optiasys.exe

Filesize
1.6MB

MD5
43c1e40f1549421569451f4608cc3b41

SHA1
70bd037f73a7720de7b2e6410752216bab137d41

SHA256
00d02f5f3e95879b242da350ed5883cf7bbab550df675fc34628ff4dd112e31d

SHA512
b4b8a0b78dc6b532417cf4b909d3b05dbb1c44af8864d7453a69b05cdf4f38a9834a3fc59f9cc38f3f85d0d71d0759f949f246d27ae23e04d8b099ed026845d5

Download Submit
C:\GalaxQ2\optiasys.exe

Filesize
4.0MB

MD5
1452faa5684a859698ccbb57a57c6fe4

SHA1
f793e4e1122b528c15330c76c8c59443b0262c79

SHA256
169cfefc43fbbdc2c50e4c6da3a4641cb568c377ac49599dcd5aea5f8d9b4951

SHA512
388bd1c3ca14a7649f69354b4bd6f34a94a349980cc2d598ed99aa0ff942ca964109687a6336944a12681aed41df9e7087f0a8b2304cf20d2dac8139125fa4a3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
de122e21655185c2d18f74c702a5b8c9

SHA1
5151311b75638e7b2242076301341bc551026075

SHA256
fd222962c1c4e1b41d6e1c7010ed907865b6bba1ce6c12bc5ff2de7d5cf02bd9

SHA512
ef1a89d43d6d337129d76832cc802439bea89bc55ab46314b8f0190afb089c18a9bf60d5cc8bc1e84c530d9a3c00962e6ac3eee38bd551fc364a7b774880032b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
21517e799564534f2bd0c5be27f821b7

SHA1
2729e7a917250a5af85045429636c6f8a4943115

SHA256
b7da69a31decec3e58a046f0ae77f40d02a2d7afa39f92c27881a2b756132649

SHA512
c61ef184608590ff2216fedc491f1340dfc195685ae53437436581a20014c7b5e2aaccf43e6086b7cc92d1252ef14324a69910012336f31597a630c8a36e7253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
4.0MB

MD5
5de4188352425a33e2f82433505bdbcf

SHA1
03242f374c65d3c001cbdc459d8b4f29b1c029d2

SHA256
c4b3b2c79ccdb0cbd25a78e248188bc84e38dad6a9c272b7fbb5703edd28a3c4

SHA512
cd64853f9c43ec4a409f2bc114fd56b4de295f0fbfc1f94338ec8e69eb3ada6d9e7b12499d51e53c95b98e77636d7853ff5f94531658f2a30ddc10de593baf66

Download Submit