8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
Size

3.9MB
MD5

0eae1360ffb680bd777bf150669f04c6
SHA1

eb972b730bbf4a8f21f5e3fc0775d1c57a1f5e4c
SHA256

8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175
SHA512

a2987f69ab528a230aeb53d807dcc352d8574abf9c478ba859de1a67333d3e4dbc18cc7b75c2889a82357990e7fcf413c688c1767f2997d8f87dd83f978f246f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe

Executes dropped EXE 2 IoCs

pid	Process
760	locdevopti.exe
2184	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv71\\devbodsys.exe"	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKB\\optiasys.exe"	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe
760	locdevopti.exe
760	locdevopti.exe
2184	devbodsys.exe
2184	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 760	3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	90
PID 3528 wrote to memory of 760	3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	90
PID 3528 wrote to memory of 760	3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	90
PID 3528 wrote to memory of 2184	3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	91
PID 3528 wrote to memory of 2184	3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	91
PID 3528 wrote to memory of 2184	3528	8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe	91

C:\Users\Admin\AppData\Local\Temp\8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe
"C:\Users\Admin\AppData\Local\Temp\8d0220bf22f31ad2c1580688108351da8b60e6006548d5f0efd3792144228175.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\SysDrv71\devbodsys.exe
  C:\SysDrv71\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxKB\optiasys.exe

Filesize
349KB

MD5
7743f1196a38576c2fe1c8430cbaca3c

SHA1
7882f5f934b7fc58dfa90359c7e706f96a2eeeac

SHA256
a8f879e3b11f0456a1ba102a13fce60cb39f5aaddb24c093743dffd13cfc4dd3

SHA512
62b35c0f60a0196263df2ade82c378d8c98f1fd2569fa6c5ffefec4242d9517bf1b61a6c2ac7ca007f753b734501422fecfb5eeb8e0b635a9dcfd668ca97d435

Download Submit
C:\GalaxKB\optiasys.exe

Filesize
3.9MB

MD5
3c4bc83145b7299b103d17fa6a54a447

SHA1
68b1b5abcf4d91123fbf52d2846db15267bbe71f

SHA256
4d5d12d021bd0a0fa0fd4f32b0d732c04a42b4cd9caa7e9f3a9eca2f0192d8e3

SHA512
127c7ce80b45f931107d732df7fe222969d67d1da3a4eeb62c579799998e546f4adad79536dc4bc333b75f32278248ce233ab42c30afb1a605a29d3983a23ed3

Download Submit
C:\SysDrv71\devbodsys.exe

Filesize
1.3MB

MD5
ca65414ce71481f0397928f02a15fe3f

SHA1
598a0e3430efc8369b5b1d72e7fb28fdee316aff

SHA256
26dead090503dedc9403beb9069dbce5996e778900fe5aff5d1cfb99fb44ef1a

SHA512
8253cabf2e24c0a1e127d23fe57ad2a1f6c819a2f773ff682aa17edf69ab4833f1673ca1a307b735f22cdacb640ae371d6f19e9671186aab7e071713cfb30dca

Download Submit
C:\SysDrv71\devbodsys.exe

Filesize
3.9MB

MD5
30d52b2295e877ab95462e45539aec8e

SHA1
4c6c21dd97918abe07968e18438cb9a6fbd0b851

SHA256
ceb46ad45eab6297702b83cb7282f18ccee49f43c65db3800b5fa87525d6e279

SHA512
3d98af4582055d49b3c13fe83f59a2e8db211f1bfaa9e4ab51a26b0fb2ad21d6deb0282563244a512c0e1fe3bb33285e76964a8fe4d14f671bdc34078de3380a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
4ab878bce14a4a2691b1b841883241ef

SHA1
1b76005670fac1763580160a468ca70cdb399f5d

SHA256
4d55ac6ae3a60efe56d35818fb7635728867996bead743d26050f1dde433cc6a

SHA512
c5a0fe760195d2b480da8dc6dcc46239405a79ee52bd014c9a89a01292b849527eba9e36603b1d4a42aec5b5c92eb79d7ec4661d3ce3d7079386c86d70f713b9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
b4d4d7530cc980aebc4cd35589cfc9cf

SHA1
ea88e3b94d483dc7ca03bf41ba2cf4e8542ed517

SHA256
666e4d574ee19e2f928fb3aa520fdda25620c80414b41ad8a61860707eaf3299

SHA512
9b9c410dcd4db05c733d9171a9317803ed26c263b54fea0dd59132983f37e3e6b13a9486e0548d6ece1337afe4dd2484ed9d6d8f3a2e3e3e5fe6a3eb1578d634

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.9MB

MD5
758704135a895c2c0d3749eb19f08e9f

SHA1
b969a51f71bd3a29ce3a56dbac478ac7fc3af6de

SHA256
161fc70daa542cb5965079a4e71e22a44199ba40c69c069ada041119d1a7c02a

SHA512
629317081fb7bed45c7b9af94ae81a9cc0b78e273b08a0e7b4f4e9f3c541514b2da703b9268ca55970a839b83407f2df94f646bcdcce03193a7c669b195bc23c

Download Submit