76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe
Size

3.9MB
MD5

16be5e62a49e9ffd34c0c6719b93da57
SHA1

0b9d041af5deec5e1bbf8746f93b4de710ea9492
SHA256

76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24
SHA512

f33ddf10eb63f2d289e385923dfa4024c3ef52476f66314f5c42e8408844e1630815d4458f54f832c2cc2b01e1c81926cb51580b9f70e35cf7258edd95811e74
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe

Executes dropped EXE 2 IoCs

pid	Process
1224	sysadob.exe
4372	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP8\\devbodsys.exe"	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAO\\optiasys.exe"	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe
3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe
3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe
3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe
1224	sysadob.exe
1224	sysadob.exe
4372	devbodsys.exe
4372	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 1224	3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe	89
PID 3936 wrote to memory of 1224	3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe	89
PID 3936 wrote to memory of 1224	3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe	89
PID 3936 wrote to memory of 4372	3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe	92
PID 3936 wrote to memory of 4372	3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe	92
PID 3936 wrote to memory of 4372	3936	76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe	92

C:\Users\Admin\AppData\Local\Temp\76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe
"C:\Users\Admin\AppData\Local\Temp\76a13485ddd079f21af9db85429ded4e1f111ddec893c7a611a9d622dcf6cc24.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\UserDotP8\devbodsys.exe
  C:\UserDotP8\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotP8\devbodsys.exe

Filesize
2.5MB

MD5
862bd192ac3225a59cf63cfaf540da65

SHA1
4bc23ea4d2a982150d856458937b9e3e16979957

SHA256
1494eda1a7db1cc2a50975135d5d0c1a0cc7e7f803504aa74878eca9fb49a8af

SHA512
5e12954ad7f962cfb14d2dd6734539a2102fc58b5e8f575282e9869e1709c2cffe67b3b0b06ef78ea578472aa88331bcb6db63af1cf9813042c7bcd049c8ca1e

Download Submit
C:\UserDotP8\devbodsys.exe

Filesize
3.9MB

MD5
4bdaf545b7869dba7917fa5baff46032

SHA1
f2fff75b89d7bc8b0360c749f6f90ac3f9499835

SHA256
8bac893067f3bcafe5c0c88bdc01bf7830facf913d6d82a5d3a4cdde6a907745

SHA512
1e150e7ba22b7f68a109afc39910ebafa71f941b024736a0960a2157a91257400e201ea7bc197bf8011201afbc932982b254e62b4313b58b42c7b8b0550f27d4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
29245ae4ab5dfce8180e858cbfa91973

SHA1
5082e9cf743fb6b2d09fdde7770749fab8fadbc6

SHA256
a33d71bf5cc24ec8dfefc3e65ebbb3e7d4fac5bbbc17f5084692d66afe469d7d

SHA512
b364e39442d5015cc08bf8ffc9d917ce81881e9575f14e621c1fdc2d6cd9c25b165d00f69c9bf0f9353cef6eaaf2e04a68f34c9c5daba56a47599015aa9e25d9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
3450707f21a73ba8522b4796547ae811

SHA1
c3a31362fdbf586c8b3100cdffbfca74e2a9dff4

SHA256
05d4f3358ac2bab607481e4acbcb554b3339420b38f1ac84bbea8f7c58a20d06

SHA512
8304f4bc7d28ee02ccc144d450d856f940f5baaad2ad108bad5b0032055f9fd9ad135ec2f731a7852d80f6e4d784e3a3640b68f1f478c3e4896f46c357e6951b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.9MB

MD5
e56cb8b56bc5f7009c339dcb347c0e52

SHA1
ec6c0df8a925ad4c141f1ea0cbf88c99e5cf336c

SHA256
920e6513498fec62d731bb97b1a1b83aafaa2dd4ce15dfca6494b6bdb4605bf4

SHA512
8b37f03e9c3a3a3585bae53df4b60e30dca780190e00cb54efe5295c371149085d2076cc70eb9d1160517a3ef574025d61b02a0282bab62e6e295e34f014bd8c

Download Submit
C:\VidAO\optiasys.exe

Filesize
623KB

MD5
3409ee4c18ad6d52f70de46a75f070fa

SHA1
53df69a1ad5e46ea96600164a25daf75fd61079c

SHA256
3aacc8249f1fb9afc4495f03ca8dd34ab917b1009e2a43c3c51aef446cc26de6

SHA512
0f3fc1106263e637a945eadfbc720254f3d007bf20c12990fed082f3cf7b3a37ea52af79d015ac8ed271d078d4c61a78fee3fe0ef92f3bc597fa12eb518fad39

Download Submit
C:\VidAO\optiasys.exe

Filesize
3.9MB

MD5
7cc8529f5f1fb84932579f1a7d77c839

SHA1
96719ce343a50bb1ad25a5e993792babfcb44690

SHA256
aa03b464ead67bda6c1ed6cf2fe1bb76fde8ecf2d656e2ada86817397fd8d6bf

SHA512
23fdafbc58135fbf4c0c8c9b2ba6afcbf51f897c5e51ed562dd6f65ca4697a6d30529b882d8f90072baa84f0e609bf3f8eaff2b25c3690b62ec1993f18c78652

Download Submit