Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:41
Static task
static1
Behavioral task
behavioral1
Sample
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
Resource
win10v2004-20240508-en
General
-
Target
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
-
Size
3.9MB
-
MD5
62de0e03112b50ef658e3d6477e0b2c3
-
SHA1
e5e1ab14aee7bb6e30cd250378238a005ad863be
-
SHA256
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77
-
SHA512
957377e00975945f8ba188ddd7580281d2678fe32f3170bed9ab6ea215b6fb738583bd67432cc6e34b0839e8d621611be52669630e1413ed626c7a814335884b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8:sxX7QnxrloE5dpUpLbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevopti.exedevbodsys.exepid Process 4720 locdevopti.exe 548 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTN\\devbodsys.exe" f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUS\\bodaloc.exe" f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exelocdevopti.exedevbodsys.exepid Process 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe 4720 locdevopti.exe 4720 locdevopti.exe 548 devbodsys.exe 548 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exedescription pid Process procid_target PID 1812 wrote to memory of 4720 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 87 PID 1812 wrote to memory of 4720 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 87 PID 1812 wrote to memory of 4720 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 87 PID 1812 wrote to memory of 548 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 90 PID 1812 wrote to memory of 548 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 90 PID 1812 wrote to memory of 548 1812 f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe"C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4720
-
-
C:\FilesTN\devbodsys.exeC:\FilesTN\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD57ad07bc927adf45eb9a085ac71ba0a26
SHA1f720acef80dc31845d437e92edeb249acaa64cf5
SHA256b501de7e316392673403336c1e41f245343fa4a16b48a710e8c70f37a71fcda4
SHA5128bc2b66a0b198327a774bdbcb408f7c4381ea8abf4c8d96515920ca375ae565cc1687c883b17e3671e0076ec816d6354172377bd65067c926004dcbbfc8882f3
-
Filesize
3.9MB
MD5a2a762ee11d033f7e67f3d8b7195471e
SHA1d9b7127b0bf3b3fe85b7d51032e4db03bfe3edc9
SHA256c810082a2291330ad1cdb8ce535d7653e0e00afa386c716a329369ed26597345
SHA51256c42fa915055977c7a1eb3c5d2c6cabd2230043bc769ecd1c94d0c3aca8ef0517163891824883df9538e9e4218753de85ee6eb0f339823e745ff74844a74221
-
Filesize
3.9MB
MD5436f3a07b2efda912f27ac86927d8ef7
SHA1ae0a78759a3a9e78e855e4b63ccee06c473ff11e
SHA256dc0e2f9f41b3a12b14a2140ce217017777dd7ca6fe929dc0328feaf28d5805d9
SHA512712ba814d4039fa281115bd0ccfe6322e7eaf44fcb52f5a002832641c7148c39f3987050ef4bedaf6980c7c266a6ab908fec4604e002efdb50ec3f65001b912b
-
Filesize
205B
MD5bd32eef9f34e8a91a8a4dbc8c35a0f14
SHA1f1a5d3ead5333d4758a776a59afcf6bc8d30cf7c
SHA25649eb8d2ea2200ad22f4a2ff030cc54ff1d334b3d8306a6ac6786b549357e09af
SHA51262378df8aac49a6d68b3662ad30451609b32e8d03e6d890b3678f5b45e244a797144ca208155c0184baee348763a28323f17bea6d9fe93bc6e192b376fa15d66
-
Filesize
173B
MD57f97956a9cf59eaa85f3809583d54674
SHA1f4e49d9c94294210c11c486716d5e03185ab5a0a
SHA256368a8f45bc294c72c038a857a93d2621c759e0f00041197bc9398d3d9ec1908b
SHA512bd26fd021e542b41794f02042a3858add217a853ce092791ab32576d99d84664a66252d60078781402ece7aea83be16b813184950a09e17443699c0d3b383dd3
-
Filesize
3.9MB
MD5ee33273067b8b6ca638076afe9fcf411
SHA1549409a021ed955a2cd5f4e8524a0dd0a5e1b197
SHA25613cd8349cae8696ad211810b7ce31a6aaec194eddd3a3924d81acfaee51db47b
SHA51206fbb54a5198b596d469a9157905341ed594c8c43d3ebefe7ba8996397a72198c06da73249cba90bdca8e3ca04c4bccecda5f867910cccddd52209d43ad49964