fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
Size

4.1MB
MD5

16fd6ba11f5a978707f41235767b1eeb
SHA1

1733f76d7d616659c6d9374f501df8c1a20b2385
SHA256

fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293
SHA512

4538b8c1a652859096ad8fcf605799e081ea90f283bb6bb20ba6737428d9be8cd65a26fa5dc0880d6133d0ae61112c3b22b7bb4d89b3b075adcab0480d04f99a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe

Executes dropped EXE 2 IoCs

pid	Process
4364	locdevbod.exe
2272	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeY1\\devoptisys.exe"	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXQ\\bodasys.exe"	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe
4364	locdevbod.exe
4364	locdevbod.exe
2272	devoptisys.exe
2272	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4364	3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	85
PID 3664 wrote to memory of 4364	3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	85
PID 3664 wrote to memory of 4364	3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	85
PID 3664 wrote to memory of 2272	3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	86
PID 3664 wrote to memory of 2272	3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	86
PID 3664 wrote to memory of 2272	3664	fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe	86

C:\Users\Admin\AppData\Local\Temp\fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe
"C:\Users\Admin\AppData\Local\Temp\fc41d2e6e5e5c4f06397d23a4261a28f0a73933ae59976c7c10305ed12e85293.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\AdobeY1\devoptisys.exe
  C:\AdobeY1\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeY1\devoptisys.exe

Filesize
1.5MB

MD5
ec3713b55200166981b2e50324de1b54

SHA1
944852881f8524d192263f1485d4b4b00600c54e

SHA256
f5b0f0b30f6b247fae91a8172463d09f979ae0122d497740219fa8156066033b

SHA512
313956d798138a94791299303f4b09ef2403da06dbeb22d30373ed572b585baa0479958b036db91bc2442030bddc19cc0f79a02a215f7d0e191a351a61f8f9cc

Download Submit
C:\AdobeY1\devoptisys.exe

Filesize
4.1MB

MD5
abe92d40f1c8561d905b1fb9f32ea1a1

SHA1
6fc9630e487c2a9a433e38b62068398962e9bbb5

SHA256
04132d2f22e77ef046198587e53f7155d17c5c13ee03c11fc47c5d7e0e0482dd

SHA512
432acc4a72ef55c7c964e1e6c5c7ca707f8558e4095bc5123e01773b4dc43426a48476aa99711b7ffdeb693770c219385882526c96081c1b2fb256ef47e4d740

Download Submit
C:\KaVBXQ\bodasys.exe

Filesize
4.1MB

MD5
8aef81ed931f212240d5c7cd74fdb345

SHA1
72f567f7e1fb9836f1b15b597f8340b74a19199a

SHA256
bf8c0a0a5becc6a95a9894062652bf274b98781998cdf093fdd4c6f52cfc5614

SHA512
c1fc8bc72692a72f49bb132545bb89a7a825db341c1774ee439e9ee423b3d7f88a670522892e83e7b0540dd131cccf2d42f32b3e1f6928ae2f0b2edd8a42fcc9

Download Submit
C:\KaVBXQ\bodasys.exe

Filesize
1.3MB

MD5
b1cb10c27ac4b613d10399294ae4bbde

SHA1
38ab3b05843a8eba57a923e1483aea64ead3acbe

SHA256
7e34052c0d4d08250b6f6196cc84da7c0180e3e235497b68aa65c37db4b97881

SHA512
1e346627db494059fc136dc5dad057fa9bedbc4bf9ad4728916eace4ffceea3f2758c501c35f08087dda8b765ef4f14d70c650f22368b41d7eb725b086c297b0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
1dbc858e12b8cf948b136124b9c7d446

SHA1
c3cd9cf139873d141459dc6c96d77fe26ad343d4

SHA256
8cd3a9e8ad60e1b1b1ba35a023efba440312376cd9fc0c064b3b5078d0025027

SHA512
c980e431b665b3c9a891959b5d50f850df447527c46300f8862b59fa40d8beaf40f2b6ea1d7ccbebd526950eea7bc4b37d0aa5fc2b609c9ee9f10d6f8a2d4450

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
b65aefc9020cb044a3a7a6f035893bd7

SHA1
fc757422bedb4944f37471d20459593924a84460

SHA256
86309fc44f8dffa5b4d5831936441934b7ed2edef238f959fba0ecc7451ebd1e

SHA512
531b32c4e7003a3e4a676f3d906add30df75c67565cc7846c9fb2192c5714f92ea7b7020691ee8e32c1d4d9fe5aec9aa9a7f3dafd5c69ee322b441585b5589ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
4.1MB

MD5
4368db4c0890bf33833f7ccf9036b675

SHA1
c3896296a8a0e846b83c9586735dd538820bd514

SHA256
534071f0efaf9222b400c94946706b8ef3e90e8ff92899c7a6dfe39ed542ae79

SHA512
2e1b96056482e0c8ee3761548440eab78305b4d43e314d2a2adcd26457c866530c9a170e543593fc418d392363199c1c4a6d540c82aabfb4f82464091dc1e4e9

Download Submit