Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 23:58
Static task
static1
Behavioral task
behavioral1
Sample
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe
Resource
win10v2004-20240426-en
General
-
Target
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe
-
Size
3.0MB
-
MD5
59aa1e504bfe3f827d1aa215281d5672
-
SHA1
e1f7ba0ac7eaaa98906129d6d1e455af1c11ab09
-
SHA256
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b
-
SHA512
079be82c10748216401c1f70a55e841738e5f8127b449444bd3df4c546477544c06c8b6d71d1c1880110ecc147952efc4cc8f57a76559df6ca2ddd70cd9ca491
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8b6LNX:sxX7QnxrloE5dpUpzbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevopti.exedevbodec.exepid process 3448 sysdevopti.exe 3096 devbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHU\\devbodec.exe" 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint94\\optidevsys.exe" 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exesysdevopti.exedevbodec.exepid process 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe 3448 sysdevopti.exe 3448 sysdevopti.exe 3096 devbodec.exe 3096 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exedescription pid process target process PID 3216 wrote to memory of 3448 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe sysdevopti.exe PID 3216 wrote to memory of 3448 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe sysdevopti.exe PID 3216 wrote to memory of 3448 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe sysdevopti.exe PID 3216 wrote to memory of 3096 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe devbodec.exe PID 3216 wrote to memory of 3096 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe devbodec.exe PID 3216 wrote to memory of 3096 3216 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe devbodec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe"C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3448 -
C:\UserDotHU\devbodec.exeC:\UserDotHU\devbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD59d16efe1f319fedb6d5c05ec230f2805
SHA1895d60feafe99ae9e155735da738462009c097ac
SHA2563768d8aed1e9db68d9740f45f48620ea0ddffc7c7f41237273dbd379641740c7
SHA51259b909fb819fab247f9e19fd6ca59d3fdbea03d198351a821040d44a0dad0cd47a78fb9ca01987c0bf97d8cd5450e8958d07e023fe42e3b961e1378b9c28ea6f
-
Filesize
102KB
MD5c15688efbb22ec895ca10c710a32d367
SHA14bc6a993166339394d7e5c4218eb895dfde3d9b2
SHA2568f2a86dbfe77272f5cd01b6df6cb599b63f61dfd792735faa261fb7de4a7aa6e
SHA512e71b00222c9b99f718a9edfe775d62da208894f7179dcbe31eeae7f3b734d9274e6b3e91271c4e799d87d0aa2f9546ac061d99dcb468a572e512d760da9ce418
-
Filesize
1.3MB
MD55d36a83b5f4f8ce4c3790b9a355dd5a0
SHA11e3540e1f9ee0e701512ebaae2864b4ac094a5e0
SHA256796cb66d32fb03a68e6b49d9ab2ccd5927d8e3d49152839b35f73f0e5930e34e
SHA512f472a82a1d772d45a1cd8361cfa5e2ca5a1b7abf2f39422a7014633bbce7a9b80d22a4cf663a5b978504e3086c716fb678d4470609f89dc79ad16763b65828ae
-
Filesize
3.0MB
MD5f51973f7df249268061bcd3ca93522a4
SHA18afff12fea8fcbe020194437e72854956b6eb1ea
SHA2568ea80d6a21576ccf25ab7ea39e685dbefa4b0176ce7dec8edf1c83a067503ceb
SHA512c307e823eda7fde07bf1d08f12ba639562ce01cb688eaf68edde3795ca5af358b7026da9bbefd07935e4c1670d1e455528b4176e4fd63c46d4ffcdb9240613b8
-
Filesize
209B
MD585207fa0fba00942edceccded9fd1c82
SHA1c8a5e5fab03335a2573974e9f7eaa2a03f50a94d
SHA256944440fbf08d9d0e1494a88c0cbf730e2cb2bd835096c2a6e4788b0cca86ccb3
SHA512ffda7270d4c9d8ac84a8f5d1ac8f1eaf5e490d07bf1a4ded84210dbd90207eb5b9474910c22301a4a0599eaa0604f8bc89a8f0aba9bd4f2fc313c3ed6817edbe
-
Filesize
177B
MD5fba360ae5fba4b869088e82485d5f01e
SHA110eb25eb886792d6a0bb3e288764aa97ada88f5a
SHA2564af3d505ed2e942bff4bcae5ee74fffa31f2972422aea6fbc9a5b0aa4b9e80d5
SHA51229132f55698633ac35174c3f21bd6476a016dd9010bc560cdce28ba8a77af555ba513d4604bda6fcf7f3d29bd75554bea1fe59dc50de4769a0e0b1be06faf802
-
Filesize
3.0MB
MD5124af55be3455d489b013ead5ba5d5b5
SHA13e666315afb189a861a2cc82d90be01718761b3a
SHA2565bb2396ef67bd627e0851b8c17b4c3c688ca093ec3e8f5677a041b60f2fd11a2
SHA512d4bb9e7b6bd4f311af73e8d157ba455c14c8550b2356f2bcb0b6e88a41d03ecf02b6cf3c97b63171561fc4665b804716f9c01d8c242460dc31e0fc60cfaa8676