fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795

General

Target

fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
Size

4.0MB
MD5

f235e6f64f72a04fc3e66c43d97ad9ee
SHA1

3b6753a3535a40616ef2bfb93c361dee53c78abb
SHA256

fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795
SHA512

3da2a300802b7c72bdda95d11d446dd633d6e2441f2c0368cb24e034d890acdd007c0fa6181f8d5e837c6bcc1336888206a3013c882b581d5f22e8017dd78298
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpxbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe

Executes dropped EXE 2 IoCs

Processes:

sysaopti.exedevbodsys.exe

pid process

3612 sysaopti.exe
2524 devbodsys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3612	sysaopti.exe
2524	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYR\\devbodsys.exe"	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2E\\bodaloc.exe"	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exesysaopti.exedevbodsys.exe

pid	process
2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe
3612	sysaopti.exe
3612	sysaopti.exe
2524	devbodsys.exe
2524	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe

description	pid	process	target process
PID 2068 wrote to memory of 3612	2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe	sysaopti.exe
PID 2068 wrote to memory of 3612	2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe	sysaopti.exe
PID 2068 wrote to memory of 3612	2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe	sysaopti.exe
PID 2068 wrote to memory of 2524	2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe	devbodsys.exe
PID 2068 wrote to memory of 2524	2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe	devbodsys.exe
PID 2068 wrote to memory of 2524	2068	fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe	devbodsys.exe

C:\Users\Admin\AppData\Local\Temp\fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe
"C:\Users\Admin\AppData\Local\Temp\fff5c6d5c8175b2fc89d94d7e1d54b02683b43b200f3109767e7466f23e7c795.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\IntelprocYR\devbodsys.exe
C:\IntelprocYR\devbodsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocYR\devbodsys.exe
Filesize
4.0MB

MD5
a8aa0b39e590158ec4b3c1d82f49cd06

SHA1
21ef026aa094b6f99d71c8f1230c4c51af22a7dc

SHA256
b0d31f8cf5962fa00681a60451edd48ee07950e41d954b4236ccbab6879f3fff

SHA512
0493445482886e485d42f1fa05d53cb8ac520f5e9c79fc17551646067501544438b06a56900f2db083b6eef214b48cd69165af8d2ce0d370afa20294055ff156

Download Submit
C:\KaVB2E\bodaloc.exe
Filesize
4.0MB

MD5
d77f05ed1d5f621f8d5f98e30aec1651

SHA1
7eaf69971690d83a21d76e831ca80402eefd7600

SHA256
822e73f8e485f0a7e042414d6326c864d4d63f7dbb7e100c7aa82f8a48a13189

SHA512
7986c1d11b06ad0913b4b58087a2fc42e34e5086d9e28def6f8a47c47c90e7285583c93ed90b546ed5ebe2ec9ef1d16a2a057da268319d6a1c0eef362ab6376f

Download Submit
C:\KaVB2E\bodaloc.exe
Filesize
4.0MB

MD5
feb9307aaccbbb4f9b69b74cbb3402b9

SHA1
80194d2ef70e2d71353ab61a9ee3381c546f0186

SHA256
687f40b09b536d49e8aba95a82e436e1d78e0afe70d92bf739bc2f0f25e7a516

SHA512
22454d7e834ae679f09027bd3214ff79a7c53abcd6b9aecc789acea31a3a263089bbb5c2e07d41f233706031e3473edb7ca63d79ddf570d1fb980049f0c7f426

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
207B

MD5
55d7f016b8a8c380316c57fb48b39a25

SHA1
7497b8fec93a819f7d8eaff98b4336b36dc4de8e

SHA256
c2d793f21645ebea150f8b2ff5048aac31d27f77099adc611c7c6ef674b50eb8

SHA512
c610506dd8b12138799339fb52d06810c4e63c43360ee87ad9b063a38d7e05511920064d185a086d079c7ff68118a38dc5b20c3ace52490c1b407d50873b15b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
175B

MD5
670be96e38aa44c5f1b2214f591946c1

SHA1
0cb7658fa502a9fc5dabb2b010ef55185ba5225b

SHA256
c14f57660479297d0b9d881a2589c47e03290d3a419b51442ea7a362a874e643

SHA512
669085929f5a18abd59a8fcf1f80c2f5350c611a0e64ed2f69b1b349905eb456f01fc845b93018fe51e5aa103c000e9cf33348d23dcc6587f0dc975ec9c8245f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
Filesize
4.0MB

MD5
08f1db49e1cfa5897b8f9aa7badeffd2

SHA1
30b9b28452f081dd73c50025c5cba3c8e10f7c89

SHA256
5b4706ca93500689ac64439f807a478baa80d717baefe36bbbeecedfbcdd0469

SHA512
5d4be0820f6101566990f4409523bc24ad47fffb126c126eb9c5674b860a5b9d63be3bec31c0c67f60078f71d66ac51e068a2966e2fce829095787b0a37ed412

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads