Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 23:58

General

  • Target

    8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe

  • Size

    3.0MB

  • MD5

    59aa1e504bfe3f827d1aa215281d5672

  • SHA1

    e1f7ba0ac7eaaa98906129d6d1e455af1c11ab09

  • SHA256

    8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b

  • SHA512

    079be82c10748216401c1f70a55e841738e5f8127b449444bd3df4c546477544c06c8b6d71d1c1880110ecc147952efc4cc8f57a76559df6ca2ddd70cd9ca491

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8b6LNX:sxX7QnxrloE5dpUpzbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe
    "C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3448
    • C:\UserDotHU\devbodec.exe
      C:\UserDotHU\devbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint94\optidevsys.exe

    Filesize

    3.0MB

    MD5

    9d16efe1f319fedb6d5c05ec230f2805

    SHA1

    895d60feafe99ae9e155735da738462009c097ac

    SHA256

    3768d8aed1e9db68d9740f45f48620ea0ddffc7c7f41237273dbd379641740c7

    SHA512

    59b909fb819fab247f9e19fd6ca59d3fdbea03d198351a821040d44a0dad0cd47a78fb9ca01987c0bf97d8cd5450e8958d07e023fe42e3b961e1378b9c28ea6f

  • C:\Mint94\optidevsys.exe

    Filesize

    102KB

    MD5

    c15688efbb22ec895ca10c710a32d367

    SHA1

    4bc6a993166339394d7e5c4218eb895dfde3d9b2

    SHA256

    8f2a86dbfe77272f5cd01b6df6cb599b63f61dfd792735faa261fb7de4a7aa6e

    SHA512

    e71b00222c9b99f718a9edfe775d62da208894f7179dcbe31eeae7f3b734d9274e6b3e91271c4e799d87d0aa2f9546ac061d99dcb468a572e512d760da9ce418

  • C:\UserDotHU\devbodec.exe

    Filesize

    1.3MB

    MD5

    5d36a83b5f4f8ce4c3790b9a355dd5a0

    SHA1

    1e3540e1f9ee0e701512ebaae2864b4ac094a5e0

    SHA256

    796cb66d32fb03a68e6b49d9ab2ccd5927d8e3d49152839b35f73f0e5930e34e

    SHA512

    f472a82a1d772d45a1cd8361cfa5e2ca5a1b7abf2f39422a7014633bbce7a9b80d22a4cf663a5b978504e3086c716fb678d4470609f89dc79ad16763b65828ae

  • C:\UserDotHU\devbodec.exe

    Filesize

    3.0MB

    MD5

    f51973f7df249268061bcd3ca93522a4

    SHA1

    8afff12fea8fcbe020194437e72854956b6eb1ea

    SHA256

    8ea80d6a21576ccf25ab7ea39e685dbefa4b0176ce7dec8edf1c83a067503ceb

    SHA512

    c307e823eda7fde07bf1d08f12ba639562ce01cb688eaf68edde3795ca5af358b7026da9bbefd07935e4c1670d1e455528b4176e4fd63c46d4ffcdb9240613b8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    209B

    MD5

    85207fa0fba00942edceccded9fd1c82

    SHA1

    c8a5e5fab03335a2573974e9f7eaa2a03f50a94d

    SHA256

    944440fbf08d9d0e1494a88c0cbf730e2cb2bd835096c2a6e4788b0cca86ccb3

    SHA512

    ffda7270d4c9d8ac84a8f5d1ac8f1eaf5e490d07bf1a4ded84210dbd90207eb5b9474910c22301a4a0599eaa0604f8bc89a8f0aba9bd4f2fc313c3ed6817edbe

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    177B

    MD5

    fba360ae5fba4b869088e82485d5f01e

    SHA1

    10eb25eb886792d6a0bb3e288764aa97ada88f5a

    SHA256

    4af3d505ed2e942bff4bcae5ee74fffa31f2972422aea6fbc9a5b0aa4b9e80d5

    SHA512

    29132f55698633ac35174c3f21bd6476a016dd9010bc560cdce28ba8a77af555ba513d4604bda6fcf7f3d29bd75554bea1fe59dc50de4769a0e0b1be06faf802

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    3.0MB

    MD5

    124af55be3455d489b013ead5ba5d5b5

    SHA1

    3e666315afb189a861a2cc82d90be01718761b3a

    SHA256

    5bb2396ef67bd627e0851b8c17b4c3c688ca093ec3e8f5677a041b60f2fd11a2

    SHA512

    d4bb9e7b6bd4f311af73e8d157ba455c14c8550b2356f2bcb0b6e88a41d03ecf02b6cf3c97b63171561fc4665b804716f9c01d8c242460dc31e0fc60cfaa8676