Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:13
Static task
static1
Behavioral task
behavioral1
Sample
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
Resource
win10v2004-20240508-en
General
-
Target
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
-
Size
3.3MB
-
MD5
1fb36ec40b8dac633f226b941c5c9ed4
-
SHA1
0efdccfb197b85637eb475fed1fa218ce61a1149
-
SHA256
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e
-
SHA512
591b6de05eb65b818eff346e201bbc4477aa162b7018efa2c1ea7cf2abc7b286b18d90c3fe5395f7852ca063ceb7528f1acbc4b8b18e1081a70a8aa4f0a0e9d0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8:sxX7QnxrloE5dpUpJbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe -
Executes dropped EXE 2 IoCs
Processes:
sysaopti.exedevbodsys.exepid process 412 sysaopti.exe 4576 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYR\\devbodsys.exe" b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2E\\bodaloc.exe" b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exesysaopti.exedevbodsys.exepid process 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe 412 sysaopti.exe 412 sysaopti.exe 4576 devbodsys.exe 4576 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exedescription pid process target process PID 2428 wrote to memory of 412 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe sysaopti.exe PID 2428 wrote to memory of 412 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe sysaopti.exe PID 2428 wrote to memory of 412 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe sysaopti.exe PID 2428 wrote to memory of 4576 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe devbodsys.exe PID 2428 wrote to memory of 4576 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe devbodsys.exe PID 2428 wrote to memory of 4576 2428 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe devbodsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe"C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:412
-
-
C:\IntelprocYR\devbodsys.exeC:\IntelprocYR\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD501e6638efb9fcf6e24edc1f71830f86a
SHA1620539754f3c6e6592a64759f9e2b85537be5c11
SHA256f3bc8ee6a9244968ad4cec51125e749762a7135180c70a69f021844a234ac6bd
SHA512ea876abb6b0ff2e82155b4ae16aa525e703213a611bceae60ad51c00fb2dceafce401f4d8f392fb6b3e21edea1d8bb06eaaa4cb28bff1f929610cc8d94883231
-
Filesize
580KB
MD5cfdffafba26dc388b283c9f1748705e1
SHA16c6d6d58a72748ee7d16d507e49e1f5fc1375fbc
SHA2566f352ce9256ed9265f252726eef6ec86b3c0dee94a9b82f4e77bff3fe977b3e2
SHA512c0959f56ac4bc13b4089515ab1d8d6532f0f5df2756e8a77b707a631c5b2dd0495888714a53dbc116ab1e76156eeb9972d711b1b012e9de8bb27bf0eafd287da
-
Filesize
3.3MB
MD541e58d7d4e376b4008fb3ea22feb6afa
SHA1c8e29339835fbfd0ea9ae5957eaddde7be19b984
SHA256e58418a6ab84cce760b39a6fad0a7c9189a44ced6618adea7782940efcb6b06d
SHA512f643b0173b2cdc1637bb7ad4e962315a0d89b7f9b277610a1ad04a029dc39d0c29e6e11bd06bcf5db43a89b1275ac5f7c720ae8c0c4cdc0f087e2c347262517d
-
Filesize
207B
MD555d7f016b8a8c380316c57fb48b39a25
SHA17497b8fec93a819f7d8eaff98b4336b36dc4de8e
SHA256c2d793f21645ebea150f8b2ff5048aac31d27f77099adc611c7c6ef674b50eb8
SHA512c610506dd8b12138799339fb52d06810c4e63c43360ee87ad9b063a38d7e05511920064d185a086d079c7ff68118a38dc5b20c3ace52490c1b407d50873b15b5
-
Filesize
175B
MD5670be96e38aa44c5f1b2214f591946c1
SHA10cb7658fa502a9fc5dabb2b010ef55185ba5225b
SHA256c14f57660479297d0b9d881a2589c47e03290d3a419b51442ea7a362a874e643
SHA512669085929f5a18abd59a8fcf1f80c2f5350c611a0e64ed2f69b1b349905eb456f01fc845b93018fe51e5aa103c000e9cf33348d23dcc6587f0dc975ec9c8245f
-
Filesize
3.3MB
MD5e846ef6f841fbabfb220128d65fbf819
SHA13c85798469de9ef95f6cea2c90322ccac76b9ace
SHA2563456baa23306841163dfbf5b4dd7da4deb85363157dfefdc93ca1ef13d17e56e
SHA51212f7813c4148308334407f31e963567f2b3530f428e693bc4ac9d0737e9a7c3170d38f69f75530a1867dfc9c47939ee067b998384c5fd9747a73419f0af92a73