30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
Size

3.6MB
MD5

478470e86bbc59e4ccf21351ba71edcd
SHA1

2b59f1646b99787b79a649ef4f4bca818fd122f0
SHA256

30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb
SHA512

24f049176b4d178a18acf3d4bc8929e07972f2445c8b8830dfbe19792739ea45e319a5987e0075b641763bbf4ef5dd62e0c805864408da077c398b2a68151c08
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe

Executes dropped EXE 2 IoCs

pid	Process
3568	ecxopti.exe
4320	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvC8\\devbodsys.exe"	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3F\\bodaloc.exe"	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
3568	ecxopti.exe
3568	ecxopti.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe
4320	devbodsys.exe
4320	devbodsys.exe
3568	ecxopti.exe
3568	ecxopti.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 3568	2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	91
PID 2620 wrote to memory of 3568	2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	91
PID 2620 wrote to memory of 3568	2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	91
PID 2620 wrote to memory of 4320	2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	92
PID 2620 wrote to memory of 4320	2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	92
PID 2620 wrote to memory of 4320	2620	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	92

C:\Users\Admin\AppData\Local\Temp\30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
"C:\Users\Admin\AppData\Local\Temp\30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\SysDrvC8\devbodsys.exe
  C:\SysDrvC8\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ3F\bodaloc.exe

Filesize
790KB

MD5
3f5eeeb311c42e4eebf7a2f41849cd15

SHA1
4cea03b6d497cd305d2348b61633b0f00971ea2b

SHA256
619c0e2a3a1ecd55009980416ed8dc2be5d220dbfd391c39a7d99ca46485744b

SHA512
0ceebd89ff3fe70d41a4aac6df58c7b8635b22609fee00d75701b81e7f862064b374be3c245713dfc09cd643282f27f963e9fff29567ab01084bb384cb68d85e

Download Submit
C:\LabZ3F\bodaloc.exe

Filesize
3.6MB

MD5
a638798e4516eee353090bda5e94de4e

SHA1
e455002f0a7967b2830dfcfef9cc86b885137a73

SHA256
88251f1350d86b8ce0068a1de5a518f12b8f5c398afdeae4d54666499cdd32bc

SHA512
abb400943899eaa8b6dc69769c02c23ff65d9bc982bb735b08233d33c737881a78d4c92ecf3528e04ff8cb979ecc857d546722825e89f8784670a918d7f7cede

Download Submit
C:\SysDrvC8\devbodsys.exe

Filesize
2KB

MD5
9f96bc76f29d793ab45b1ae4f654062a

SHA1
a9bf818d9198d791ad00946e887e72a71ed7dd04

SHA256
c3c997aafeb0ebd09d49c4025218a6b5c0e5d315c9afa83a05732b0be7de7814

SHA512
37010d647b0a90311ba860866ada29d813bbc72105b182b5ed2c8921151c54d99a94e12fa512acecf0ddedff61703c62a8e22f8abb2a48332660efb7abe8f277

Download Submit
C:\SysDrvC8\devbodsys.exe

Filesize
3.6MB

MD5
c2b4fe1c20c4d23dd1df955d586d6f51

SHA1
4a69431c9283b62b6e79eb24ce0804adb5869425

SHA256
bcc1bef862d6ba7d9d39e66ab30a5ff1367546428c344e464f04068807521b42

SHA512
6f4bb2c64aa6c6cc5068b78cf798c68b9c214a94dcf10449b660531c2a4208f6cd1dae42b4eb71b0fbab166aa98395f289591990082132030bc04ae57a215ba5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
641b9a19f8b90d9d0179126317d64de9

SHA1
6dba927c8ace39036e47ae1b64df47014f8965aa

SHA256
e3f311daf505d4b09ff6d3c3fcde5613a0d9f57bf839bc0cd337239fd84220ba

SHA512
da9b80e21472ea168228aca32fe18489d10827189f3560084774406de77f417cf6c3fb72b3356cd0005332100204c707d57d7c1781876bc29d5100c124956569

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
ee7110b775245b59b56a70c525b3d337

SHA1
7c67341beb41e799f26efb0bbcd8fc462b1e5c2e

SHA256
9a7f785ca135377583a07cff9305d4bef59b515517e16db76bed8ab6d3317fcb

SHA512
27d723674df37670f2d97ad9b7632ec3eea8fc9151282abad3a0c90be59890a779874ccfd72d363deca7fb761b7838a01053988cb380b19838e32ce5fe2e7d39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.6MB

MD5
08b547383b42ed00d2229b8e379575fe

SHA1
7c155a0323f4dec864d0bf708ef5631163e29043

SHA256
04073fb2fd26b7e6430887e55ce9de8333979ea010320659cc7ca6beb0da3bcb

SHA512
4b60c7f227d0e374b450a7d013687787c250954577c0094604414aebf9d74ec1c9cb6a5811d3d0010e1fcf3b5517d729383c5f08807fe24ffe97ce6cdabc5527

Download Submit