5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
Size

3.2MB
MD5

5314b8a97419c02d744f072a9edb524d
SHA1

4e1435d34ada0e3270a4072c088f2bcc5da256d1
SHA256

5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28
SHA512

4b8106833ea43f46e65b0a2bb22bc98a0a44dee9db06e8e31a0281b32b9fdd80291fca55c391f8e8351ffe9d36b86f9cbc21d26482fbef512ee0906d2a65f4b9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe

Executes dropped EXE 2 IoCs

pid	Process
2040	sysxdob.exe
3552	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNS\\bodxec.exe"	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLO\\devoptisys.exe"	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe
2040	sysxdob.exe
2040	sysxdob.exe
3552	devoptisys.exe
3552	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2040	2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	91
PID 2952 wrote to memory of 2040	2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	91
PID 2952 wrote to memory of 2040	2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	91
PID 2952 wrote to memory of 3552	2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	94
PID 2952 wrote to memory of 3552	2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	94
PID 2952 wrote to memory of 3552	2952	5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe	94

C:\Users\Admin\AppData\Local\Temp\5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe
"C:\Users\Admin\AppData\Local\Temp\5c85e074d73ae96f2198e14e880b696f667b56774730e1d6e4f0491fb3334f28.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- C:\IntelprocLO\devoptisys.exe
  C:\IntelprocLO\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocLO\devoptisys.exe

Filesize
3KB

MD5
1158f86a0845ee6fe9ce7b682fd51439

SHA1
caf9890ab05a6eef87827bb3ab60eaee3b254faa

SHA256
3d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1

SHA512
3820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503

Download Submit
C:\IntelprocLO\devoptisys.exe

Filesize
3.2MB

MD5
c556e71f3dfb4cef32338ea07b622063

SHA1
ff04f963558840c831fc96e6591fabd92b3c2517

SHA256
25cf6c7601a5445dcd6db148ec147031934e31abe2583a56445987dbdbc5db00

SHA512
cb5011a0331c6f78c184916b5bc01761515f69dda53b004151d6a99c192a95e81e45534f409b5d7952446653fbf9444555aed2329e68b2e3ffabff8496a3a205

Download Submit
C:\LabZNS\bodxec.exe

Filesize
3.2MB

MD5
130623f1ba36c2645ced89e9d404a945

SHA1
14a5970b2c801e358a0fde9b5787c2b4ab26c113

SHA256
d298b54fae15951bee3378266236908a72ce859c0b2cd156f2d8077bee653768

SHA512
e47cf532520bfd1337220aedf999888b99172ebd11fac175f9b73697dd7f465d86d2d923e050a920d94d960842879016d37712d26be651e341e74d81c4f94af2

Download Submit
C:\LabZNS\bodxec.exe

Filesize
801KB

MD5
94476593f37bdf94a4f9406049fd40ce

SHA1
063e1d57667672f761fd206cfa5f80e5bf1bcb5e

SHA256
356fbf1ed68d4e9e66adb468790801d57cf17bf63ddd09014ed56d0076d201c4

SHA512
ba82636fc67509abbfbed2b3e62f160ea222fa7ab4b6f645d27b1c9c7f418234c7a7682ec86a35a730b0b9d475645edd2dda7f760f58aef7d2beb955343dfa70

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
3ec7f7957abcab0904cfff8ed1b7501c

SHA1
d21e1104bbf9a611f61d197f533b991af3095d18

SHA256
9b884623cff53ea7403d7ef5ad2a66f75cc669d41e2fc91fce223530c9951a64

SHA512
fd825321779f25869564b199f77e1b4189bec6c7e41d2c57debcf46fcbe1c04d6fdc62a5ae0e6c1b6c3dd2b123414368123f59d45833b73981dc9561ac07bdbc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
94ed73b638853c033ca9bf15bcbea7fc

SHA1
0fba3f47ad1a6a80fdd00c8d356eb0bf0d716ef4

SHA256
d02771b7bd3efa883ed93d5c7b64b93fb2455f2b843cf2e5cea2dc3f59892c92

SHA512
ee300b1f2d1cd47e4f59fbe769a4c253fbc218946c75013eef17cd2be48487352e8632d5d5ce4e882ea6605599f75677a72bce77eb8c00b7e1e7a8c976cbd4b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.2MB

MD5
f04f9da1de9a7a6d666ec4e859365381

SHA1
8cf67abf39da103f683483cae7bc421927405bce

SHA256
68e31c79c2def9777d81a39a03efc1956344a93b4f8a59d04cb323cd69cfdda3

SHA512
0541154bafc4e3e4742057180e188ccabece0a663ea85ebde382f6d3f0b4abc3c076ac7376a71a42d10ccd6e49c86443b09b413c7678b66143a1e206e4aa9308

Download Submit