8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 00:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe
Size

3.6MB
MD5

bbaf7dc4ebe60d9c86ed3b545779fe86
SHA1

bd83e582ad295ca27ae0ee55ca891b9c9ac4044f
SHA256

8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c
SHA512

25cae2ce6dd842dce5a9156ba794a04127c996a4d22447904b6c2ac3db737b6e2cbbe8455b06bd632205ffac16d77dcc03fd292be3bcc8c3a3fca17e33d7d4f9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	sysdevbod.exe
2064	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe
2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeV7\\devoptiloc.exe"	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0T\\bodxsys.exe"	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe
2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe
2544	sysdevbod.exe
2064	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2544	2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe	30
PID 2356 wrote to memory of 2544	2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe	30
PID 2356 wrote to memory of 2544	2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe	30
PID 2356 wrote to memory of 2544	2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe	30
PID 2356 wrote to memory of 2064	2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe	31
PID 2356 wrote to memory of 2064	2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe	31
PID 2356 wrote to memory of 2064	2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe	31
PID 2356 wrote to memory of 2064	2356	8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe	31

C:\Users\Admin\AppData\Local\Temp\8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe
"C:\Users\Admin\AppData\Local\Temp\8046bc0fc708067707ce78758bd2d03787e5de1b318d6154da962a3285506b3c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\AdobeV7\devoptiloc.exe
  C:\AdobeV7\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeV7\devoptiloc.exe

Filesize
3.6MB

MD5
93767c9c208b978c58c60d093601b52a

SHA1
94fc4198b0f7ca3c0dd3278dd2b6793d5db313e9

SHA256
a05d2b5d876db9b31fc05f8938b4558c424c654be8ab67c48174be74bda45fc4

SHA512
f297b5febb29111f88ab85e6dd3285c5df58e32398acce255ddc3be596f25ed75865a8b92738dfffba0f72a80ca2b95fcd3bec18714d56624c9cf0c4c0899254

Download Submit
C:\Mint0T\bodxsys.exe

Filesize
483KB

MD5
1223ccf21916a8b6e115278547d5cb42

SHA1
4db77fbb5014b87dd35a52626809aea691b54311

SHA256
6d9372e88edbc6dfd81227f2e44be31b437b0b2b21120342791fcc9f5f6c9c0f

SHA512
1823f4569ddb6a37972246fedf2376ed332e5ca0e8fae73d5271104ff3da3ccec677f451c231b6fc4f9b236df63a79938339e2a7faace6bf6bde849d8b476e2a

Download Submit
C:\Mint0T\bodxsys.exe

Filesize
3.6MB

MD5
630d5474757873e2da9246d69bf540eb

SHA1
6445ae0ac5159c9e397f2e303dbb0718cb641042

SHA256
b6007036face1f84aa9ea5f0e93a3f8394765e81928e77b6b3f57327b60779e4

SHA512
67d0cc45fafdd99433f7b1e8b621c0836890d9acccde3eeb8688b4510ae06d5fe6ee6b5153d66d1f70dd2f49bfc79bb77f04c0d558760761a2660889cf91a6cf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
3bdac773f4dd552fd8b21f3f9d7ab391

SHA1
d03c646b5a4b0925777bb52ee31d1c383cee2c93

SHA256
9e3302095914fb96ac3d5c292314f7d085adca2e8cee350bbe8841a13264d080

SHA512
b4505357c06fc4252ccc40041adc5af7c7d326b54d607ab7f99c63caac618685b97417b89fb29bbb084744bd5ed8e7cfcfe3bf78a1762a7fd2d3f67d6d3f96c2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
85cc87cc6846c2dacb30927dae543dd6

SHA1
579a12a76791cfb8878b0b49acccfb41e6bf03f1

SHA256
687532337745390c3376a5813c1393605a8d4067fe97897d70faeb138052d287

SHA512
4943b4ca3617c719a56364853f1cba0f674425adb00d17940906a0bdf8f239343df9dbeb515e31de0db51e46f9f33407ade1dbaef43e44fd680e39e67c612e08

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
3.6MB

MD5
6ce2e2342fc63c3ff9399244c71feba7

SHA1
5281b651498655842a3ce97df0b1edf9cc70b302

SHA256
e191ed340cd7bf740b638ff979171211dfeb8ce79cd0ae19d36f9fa83dfcdd27

SHA512
9168f6ccb635dfb6c679a6bdab341ca1b05d1aff440bb83b5215e74cbc59d070678e509bf454c591704565222090f79f5da46a72a3a37347255a52e2703f9352

Download Submit