cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e

General

Target

cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe
Size

3.2MB
MD5

052ff82301ca1d527e59fec075ef83ef
SHA1

df525deea057835b27d16158df920b2b1aef740c
SHA256

cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e
SHA512

3d0fae2d8ba99adb133b0f2165c1b62e5f76bca631297ea79db9f62b34c1016c5a50ae6fd5e9ca52cc91af6e80ce5740220b5ac71bd87d11b3d9d28881a3ebe0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe

Executes dropped EXE 2 IoCs

Processes:

sysdevdob.exedevbodloc.exe

pid process

2992 sysdevdob.exe
1884 devbodloc.exe

pid	process
2992	sysdevdob.exe
1884	devbodloc.exe

Loads dropped DLL 2 IoCs

Processes:

cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe

pid	process
2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe
2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJP\\devbodloc.exe"	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB77\\optixsys.exe"	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exesysdevdob.exedevbodloc.exe

pid	process
2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe
2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe
2992	sysdevdob.exe
1884	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe

description	pid	process	target process
PID 2772 wrote to memory of 2992	2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe	sysdevdob.exe
PID 2772 wrote to memory of 2992	2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe	sysdevdob.exe
PID 2772 wrote to memory of 2992	2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe	sysdevdob.exe
PID 2772 wrote to memory of 2992	2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe	sysdevdob.exe
PID 2772 wrote to memory of 1884	2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe	devbodloc.exe
PID 2772 wrote to memory of 1884	2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe	devbodloc.exe
PID 2772 wrote to memory of 1884	2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe	devbodloc.exe
PID 2772 wrote to memory of 1884	2772	cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe	devbodloc.exe

C:\Users\Admin\AppData\Local\Temp\cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe
"C:\Users\Admin\AppData\Local\Temp\cd7e19e78bb40d88b3d6a144bf219a918bf231ffba0f0f1e615948702982594e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\SysDrvJP\devbodloc.exe
C:\SysDrvJP\devbodloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1884

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB77\optixsys.exe
Filesize
830KB

MD5
41fe2253caf2ef2b826b9ce31ff2c83d

SHA1
3d9adedf1386772a64501c2cc097c8b9df141111

SHA256
1348abe8085cd2578a35293ad061dfb9852aa7507ebff47459f1ae29bce9a6c6

SHA512
a2163eed1add5780c1253b4fde4dbc39cecb889681de142dcfe3954a77ecbe3245465c70eaddbb2f094e11aea6083e73297bbcba74a1e6df228ef051b0ae6c17

Download Submit
C:\KaVB77\optixsys.exe
Filesize
319KB

MD5
95b62de0f448adab2e17417e3cdf62c7

SHA1
57cf25f807d41b97afce52b10c942122cbd5d6ef

SHA256
db32b60888afb740f79cb99caf2f2db81bcab724dee14ba2512ef3e545694a90

SHA512
b301ea9021970176ea55d93af369583220b604ce079ba281137ee764694ec80db10ac33e005d13dc8c5fbf49cba5f055e0173b60f07dac402ff0f09bc8a8d538

Download Submit
C:\SysDrvJP\devbodloc.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\SysDrvJP\devbodloc.exe
Filesize
3.2MB

MD5
05bf4dca07948a61fd8e75b9111b6152

SHA1
e7e33e97d2a95d019d2c19e20cde26e49dd283df

SHA256
d0288b82e998366b925248481786992bbdeb808cb04f83cf98d5430d93055417

SHA512
fe556ba5adc35a025bb814a4db8dd707e3b0277515a83338e11a1b84f15449f89bf2f6f2dfb779d80613c362bd26520cc4482fcceb7b47fba00f245a6210c926

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
174B

MD5
15aa287d5ec6dc086d222d936e081093

SHA1
3f3446384964e11c8aa285f6fd13e9998c7402eb

SHA256
0a676f27530721704dd8d65a587002707c877ca0b14be130015e267d1434f274

SHA512
09acc5bbe4f20001f7b34f3c30ca0b2c5b5e805a97c50b21fefcda99b7376286d6ba87c9cfad6f23adccc9d7ec0f727ed92148c4a63b77f33f77de839f18f352

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
206B

MD5
b4cbb26c9bdb9d466a4a2e656ac45890

SHA1
bfa79c318c289f7a54bcb37b82ccca81ca3e4849

SHA256
66a673892aacc9675e12fd0d2c70a8a5d3729f1812b77022e4c2a6ef6f921697

SHA512
d2f2a8b3a8da78f0182779b65b769be82ef609800de1963544207218684e92eda9c6e689a8e5eafa79bf26ef6987c137b837274fcb12cb6b8d8b4129f6f401f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
Filesize
3.2MB

MD5
3d5d1ca0c6c61a6b855f928a890389f8

SHA1
07af9a30964f89a6809a9fdecc75fc8d85ace738

SHA256
0993e436f6c13add39c644fd311ecbbeb966b77a4ea0ea78cf142663d6514472

SHA512
59150b674f99e646aae079db9a37a589fe0bef34b9519101eebc9b8246aa3b6d6353874ec1821e69e5701ec171f7c86492c80bdf84497840f9286f0ba9d06657

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads