Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
Resource
win10v2004-20240508-en
General
-
Target
fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
-
Size
4.0MB
-
MD5
f235e6f64f72a04fc3e66c43d97ad9ee
-
SHA1
3b6753a3535a40616ef2bfb93c361dee53c78abb
-
SHA256
fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795
-
SHA512
3da2a300802b7c72bdda95d11d446dd633d6e2441f2c0368cb24e034d890acdd007c0fa6181f8d5e837c6bcc1336888206a3013c882b581d5f22e8017dd78298
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpxbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exedevbodsys.exepid process 3612 sysaopti.exe 2524 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYR\\devbodsys.exe" fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2E\\bodaloc.exe" fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exesysaopti.exedevbodsys.exepid process 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe 3612 sysaopti.exe 3612 sysaopti.exe 2524 devbodsys.exe 2524 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exedescription pid process target process PID 2068 wrote to memory of 3612 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe sysaopti.exe PID 2068 wrote to memory of 3612 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe sysaopti.exe PID 2068 wrote to memory of 3612 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe sysaopti.exe PID 2068 wrote to memory of 2524 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe devbodsys.exe PID 2068 wrote to memory of 2524 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe devbodsys.exe PID 2068 wrote to memory of 2524 2068 fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe devbodsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe"C:\Users\Admin\AppData\Local\Temp\fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3612 -
C:\IntelprocYR\devbodsys.exeC:\IntelprocYR\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\IntelprocYR\devbodsys.exeFilesize
4.0MB
MD5a8aa0b39e590158ec4b3c1d82f49cd06
SHA121ef026aa094b6f99d71c8f1230c4c51af22a7dc
SHA256b0d31f8cf5962fa00681a60451edd48ee07950e41d954b4236ccbab6879f3fff
SHA5120493445482886e485d42f1fa05d53cb8ac520f5e9c79fc17551646067501544438b06a56900f2db083b6eef214b48cd69165af8d2ce0d370afa20294055ff156
-
C:\KaVB2E\bodaloc.exeFilesize
4.0MB
MD5d77f05ed1d5f621f8d5f98e30aec1651
SHA17eaf69971690d83a21d76e831ca80402eefd7600
SHA256822e73f8e485f0a7e042414d6326c864d4d63f7dbb7e100c7aa82f8a48a13189
SHA5127986c1d11b06ad0913b4b58087a2fc42e34e5086d9e28def6f8a47c47c90e7285583c93ed90b546ed5ebe2ec9ef1d16a2a057da268319d6a1c0eef362ab6376f
-
C:\KaVB2E\bodaloc.exeFilesize
4.0MB
MD5feb9307aaccbbb4f9b69b74cbb3402b9
SHA180194d2ef70e2d71353ab61a9ee3381c546f0186
SHA256687f40b09b536d49e8aba95a82e436e1d78e0afe70d92bf739bc2f0f25e7a516
SHA51222454d7e834ae679f09027bd3214ff79a7c53abcd6b9aecc789acea31a3a263089bbb5c2e07d41f233706031e3473edb7ca63d79ddf570d1fb980049f0c7f426
-
C:\Users\Admin\253086396416_10.0_Admin.iniFilesize
207B
MD555d7f016b8a8c380316c57fb48b39a25
SHA17497b8fec93a819f7d8eaff98b4336b36dc4de8e
SHA256c2d793f21645ebea150f8b2ff5048aac31d27f77099adc611c7c6ef674b50eb8
SHA512c610506dd8b12138799339fb52d06810c4e63c43360ee87ad9b063a38d7e05511920064d185a086d079c7ff68118a38dc5b20c3ace52490c1b407d50873b15b5
-
C:\Users\Admin\253086396416_10.0_Admin.iniFilesize
175B
MD5670be96e38aa44c5f1b2214f591946c1
SHA10cb7658fa502a9fc5dabb2b010ef55185ba5225b
SHA256c14f57660479297d0b9d881a2589c47e03290d3a419b51442ea7a362a874e643
SHA512669085929f5a18abd59a8fcf1f80c2f5350c611a0e64ed2f69b1b349905eb456f01fc845b93018fe51e5aa103c000e9cf33348d23dcc6587f0dc975ec9c8245f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exeFilesize
4.0MB
MD508f1db49e1cfa5897b8f9aa7badeffd2
SHA130b9b28452f081dd73c50025c5cba3c8e10f7c89
SHA2565b4706ca93500689ac64439f807a478baa80d717baefe36bbbeecedfbcdd0469
SHA5125d4be0820f6101566990f4409523bc24ad47fffb126c126eb9c5674b860a5b9d63be3bec31c0c67f60078f71d66ac51e068a2966e2fce829095787b0a37ed412