4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe
Size

3.2MB
MD5

ec6846f3af911edd9b87f8b4f6ae1388
SHA1

0535f71272c59fa4ab93d60f3c57726ab22249fa
SHA256

4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd
SHA512

85fa7c07fcd1e6ab62a0de15acb1f0222d5e354f748402ebccffc600fc9a531f24b3ed32fd63710a79220a30f52475a71b3810d187dfa67b1ee5416cf4cfce20
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpTbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	sysdevbod.exe
4072	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG7\\xbodec.exe"	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCG\\optixloc.exe"	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe
4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe
4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe
4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe
1716	sysdevbod.exe
1716	sysdevbod.exe
4072	xbodec.exe
4072	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1716	4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe	89
PID 4952 wrote to memory of 1716	4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe	89
PID 4952 wrote to memory of 1716	4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe	89
PID 4952 wrote to memory of 4072	4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe	91
PID 4952 wrote to memory of 4072	4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe	91
PID 4952 wrote to memory of 4072	4952	4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe	91

C:\Users\Admin\AppData\Local\Temp\4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe
"C:\Users\Admin\AppData\Local\Temp\4d56835dbc59a5143390f2fc14475c5815a6d66a2658d55bbd242174082189fd.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\SysDrvG7\xbodec.exe
  C:\SysDrvG7\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvG7\xbodec.exe

Filesize
925KB

MD5
8a16ce21a8331f9dd1802d8d37812676

SHA1
f31810c039498d02819639ff44de2c7852ecc5e3

SHA256
9d088705af421b5c34b76aa30ef8552fd5507b1286f27b2569a06f4ad2139a47

SHA512
0502fad5933d9d1a88e4748b1d65bcf5845b9bde9d679dc86d8217a4267f647e79d4198c866b3e1aa2bbbd3a418b8a3fdc8a361a2925cb2d36030660cbfd3dbd

Download Submit
C:\SysDrvG7\xbodec.exe

Filesize
3.2MB

MD5
32f4e5a045290d2bf261ef32684754e3

SHA1
d1c4d2415d8deb9cbef3d5fddec7891444c92280

SHA256
9a4b32a3dd3013aeb01136a4f42a28731418b67d64c1a42bcef0dab556861131

SHA512
bbcf965716f0be129bdeed4ce107070330702a61b818e4a50d589e288be6438075517ec93d75ff53d0ca0ac58fb7603987113e725779bf0083c8b0434a868796

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
b45d34049d40c657913748f7d091ecf2

SHA1
9bdb1036c6998e42cecc2b1cebce5438773d6789

SHA256
d8d430f28c97a76816678809041bb7e40aca15867fd5c97eb118a66b11316515

SHA512
9ec7285a305273fca126bacbe2a94384d58b2f6f33c942c8029ec95c55d5a0379dff79afd09bc2bc1087bd7c2e3889d243476c492d8f4460000d4e44fc7384c4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
f117c435357e049a2b1191cc10518273

SHA1
bd86fbb221ec62169f7524cd8bee4f091e4b6f58

SHA256
c23d9fb9a0eefc675470858b70effe982a02b8a4dc5105c259ded58e1c091cb8

SHA512
2c9811d962762474db4dc4df66d4c1aca0c668691ae03912120ba5443dface30248cc5be419f9b1179935dad8a6ef7918426cb256e5d97d76a0bcc8f5617d4aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.2MB

MD5
74efbf0bc25f394b892d0f5b6510b09e

SHA1
4dd22831f858a3de054db67034441b330bcc29c0

SHA256
9fda4d6f865f325c27f8e83a50c52d7014911a01a1af867e2b0ab94dfc022e35

SHA512
0a384b309752ed25f4d54437af20ea1f99d4accaaecc4599ff5640e7bbff9a63f74a5562c8ccb4491711932ea0d1056f7cd7de155515139dc3b16567358c31b6

Download Submit
C:\VidCG\optixloc.exe

Filesize
3.2MB

MD5
4d4d929e3ac95b2cace2ab6765f3139d

SHA1
d8ac7d635da77e660c0b11a19c9b0664ff8dcebb

SHA256
e142e0580c79a25e326cdaea965fb7681770b3e0bc25ba5729c5a7c043a74b53

SHA512
89f9bc7a8008736e049836e3c4348d2bf81b69c081722a4580aee8935f8eb798759b73bff265af216f94d247bb6704e27e414b7b83dcb1f3a4087245e681a347

Download Submit
C:\VidCG\optixloc.exe

Filesize
3.2MB

MD5
f163f60fd145818357c3680c30050a3b

SHA1
ceec365084bf10f85760805bdabf182fd3a3b449

SHA256
3d7eca2ad62702a3593a5684032106a71ef3cb3e794a39882f54ae90c1b55ded

SHA512
3083c9c0d51f83748cd6dfa6f45b1973b109e2bbaeca7c4ddbfdb49d402c707322d8b545f2790512ea82799cd7b59c2f9bee53464c75e174b9035efc3ee9c969

Download Submit