40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe
Size

2.8MB
MD5

8112936847b2fe4d5935e0198f79208f
SHA1

6a6ecf649cf44c328c35660d12d80336f018f791
SHA256

40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159
SHA512

822b5d128c10f041132e372a9474a967c15a8c3b8a4e7ec51bfb71db74b06cc6b0289f9fa514f26d8104dfe9e0c6a4fe7032803d3e4b494113ef6f5fd2557751
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8:sxX7QnxrloE5dpUpebVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe

Executes dropped EXE 2 IoCs

pid	Process
2920	sysxbod.exe
2492	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe
2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBR\\devoptiloc.exe"	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWQ\\dobdevec.exe"	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe
2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe
2920	sysxbod.exe
2492	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2920	2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe	30
PID 2676 wrote to memory of 2920	2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe	30
PID 2676 wrote to memory of 2920	2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe	30
PID 2676 wrote to memory of 2920	2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe	30
PID 2676 wrote to memory of 2492	2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe	31
PID 2676 wrote to memory of 2492	2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe	31
PID 2676 wrote to memory of 2492	2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe	31
PID 2676 wrote to memory of 2492	2676	40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe	31

C:\Users\Admin\AppData\Local\Temp\40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe
"C:\Users\Admin\AppData\Local\Temp\40d511e1a42b30fe70c3eea20f8b3ce5dddd5c9c77e7086952fb0d4686e0a159.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\IntelprocBR\devoptiloc.exe
  C:\IntelprocBR\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocBR\devoptiloc.exe

Filesize
2.8MB

MD5
44101bb5db97db78cefc5249f03cc334

SHA1
2d87e5a2f4bbb6827cb257c5e7b9517689686bc7

SHA256
a248df8b9eadaad2ff714ee7932f45b16d2fbfb8426a5cf04d64dfd8ffd0341a

SHA512
9cdf396b6eecd78ad7cd4aef3ded58779442b1e93e086db0076945dc5db19742aab38e9b304bdb73e0709739716988393bbdd862f6003ae9ccdcd4f86f657773

Download Submit
C:\KaVBWQ\dobdevec.exe

Filesize
2.8MB

MD5
9336800e83e9131eaabec9b5d95a0c98

SHA1
949c49f85c8fb873033748d6a639685e12f61e88

SHA256
06aec5bc7f4b07a0f2ce993ae62aaf396e55f281ff2c6d8bb4a73f5bb328de23

SHA512
070ed3625403b0016c3cd35080e6fa28e2840bd75a742526d65629e5be7762630175d052349be7aa3ae476312c429acb55b9eec3c0cf09c044458c93302b38b2

Download Submit
C:\KaVBWQ\dobdevec.exe

Filesize
2.8MB

MD5
a4c724bb48014d6856c25dd7d24b334a

SHA1
5b25d9d4f68928792b48ac21b8276b9fa634de97

SHA256
a6760e9a8352cbfef9507d4797934f65ea29d1a0549470156cc006546df088c8

SHA512
74c13364b21c3bba5e28d83c17315bbf725277b7c1a57ea6b7810afec3b6b7c6dcf709daec7a2753f09dcc744a6340bc4e2c7ac93129bb4cf78888e6119176e6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
426a9f073c0fa762eb627a9763ad74a1

SHA1
a36a270b7a497f34f494a8aa9601226b3e6771f2

SHA256
ac857798b5395e3c23a00026e49112a1d2eafd9f0bac5fddf363a3b79f9069c6

SHA512
d9d43985bfd79c938d925c84076a8004203e70ed3069506378f0e6eecc28fb8d533951e9efc0e2f29d8837f00a4aab3dc6ffab1fcba7dc9b8deebb2c64dc3372

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
2d57a144936b5f00b0829c9ea2b4b2cb

SHA1
9736a5b145cac8a4831d26d91dbce9d1d29e0be6

SHA256
c10a312e6e131ea42e3557ecc6e5b25891d337bd4bc25d2b3e9feae5990b378e

SHA512
0b10801b9291b9dad9c2b54cb8ff83bf90b02e3ea4043ff7440bc033f2484d7250451c2cdc30fb3429575384e72c977a7593e6130f39157ec2d8e238c1930a2f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.8MB

MD5
50345c0fbaf517b3b90085d816e9ccf0

SHA1
12f7ce4f134900f8c969a0d01d5da924b453c84e

SHA256
7cc9830479d4173f404323fe33d2338a506a5bb19bf31c2ac51a2f19f2df5ebe

SHA512
291f16350f1e5de43304c2856fa08f16ecac73fec02ef0762bf7f87106bfeb04d27942f3ac2e1e9875d70978ba1d775ec696139950dc15eb2edc4ebc4abb1bba

Download Submit