8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
Size

2.6MB
MD5

f09dd24e2f5d1fc42f0c9eaaa9cfd8a5
SHA1

694a7b78fbed801f38f93eea5f4b2bfee5dd1ea7
SHA256

8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429
SHA512

176ddc582535da6c1e968db64d0fea42d643af952862dbe4cd97106bc6eee7d93065ac0bef9e86d69b35f77579e133304a56e813a8edcb675b5c47a9652248a7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpsb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe

Executes dropped EXE 2 IoCs

pid	Process
3112	locxbod.exe
640	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1Q\\devbodec.exe"	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFI\\optiasys.exe"	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe
3112	locxbod.exe
3112	locxbod.exe
640	devbodec.exe
640	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3112	1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	86
PID 1732 wrote to memory of 3112	1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	86
PID 1732 wrote to memory of 3112	1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	86
PID 1732 wrote to memory of 640	1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	87
PID 1732 wrote to memory of 640	1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	87
PID 1732 wrote to memory of 640	1732	8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe	87

C:\Users\Admin\AppData\Local\Temp\8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe
"C:\Users\Admin\AppData\Local\Temp\8b8b82a8a74a79bb5d1ee9352df95c7b0e7a67c091e9aaf2247dc33f5fa7e429.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Adobe1Q\devbodec.exe
  C:\Adobe1Q\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe1Q\devbodec.exe

Filesize
271KB

MD5
451fb2b0c37eb54ec1f2becd9f64cf4b

SHA1
fe41b2d08bef6d16b3886adf2c352a9b0186ade8

SHA256
cdc4b6696d9716ebdaafe36534bd846e158d8ed87472d06d19a49c28ca8fb718

SHA512
ac73eebc630136c4fdef9e0d7abd02b4a0a7a91986d625234b85930116b1074929244170d7cf45407bb89c754be9570b72684ba5cdc0cc9b6cb99cb8e717beb1

Download Submit
C:\Adobe1Q\devbodec.exe

Filesize
2.6MB

MD5
a9b145107ace39822c89c2b1bed718e2

SHA1
2c02e8b1d2a5787f1f4a7c9286649917fbf62e88

SHA256
2dd9478e99ba7635394c2afa6ec0dee016f66d24cbccca622446b2521ac5efab

SHA512
7cc4b390ba3e8781bf0e5b95c8a12e354bc636103c69b3d4418f69726730c670ec640f5c5398f060d2e193d94c811c7e7867c6491bd2ce481b1e35a980b72b02

Download Submit
C:\MintFI\optiasys.exe

Filesize
1.1MB

MD5
2cfaa328596c350bbc341343c673638e

SHA1
738cfc9266bd52856a7fdfed3ea56928cdf75937

SHA256
cf4e16c21dc28d64a83b3a7d4115d8201953fb887fe15b11d701ae8ef548ef6a

SHA512
470c33cb733d6cfaa59190c2dd65f6e5a4687664295c8c986e6d3d739ca478642d6b64df949c9be1916314f7cd6145445a34a7e281fd115b7a26a00a287c1185

Download Submit
C:\MintFI\optiasys.exe

Filesize
581KB

MD5
43b841e9869c659037934eac3a3a59fb

SHA1
b386fd85b90b700bfd4d0140a9bd61b7ec114125

SHA256
020c37dad792b070447ba849fb28939d66b975503edd8b0fac03b478f45c471d

SHA512
02c96a143382187049ca758e3ae2a205dc624ed512e802f0f8d4e394060db9a4761f718c3ec091d951ce828096e1e6c9db2aaf41bc1eecf25f646413786d0567

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
63efaa577d3dc32aa98cdf3c2537dc44

SHA1
da6dfd846708ab8387e6db5f7bac5e952c6adf8b

SHA256
b943bfbd33e467075258c405a9cb7a989def9d008f1174f3367ba2aca8955bdc

SHA512
ffe41677796abef4f53b040431f08b5a76d760be77e73060d55c9839ab521cb1c7ab691f8d64c06b1d8b516c5039ed1429a780b72930eae5d5aea8420d7b8ef3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
6a17562c2f6e43b057ea26ceebc910eb

SHA1
12947b480fa54b58346adfeeafbb05fe1f1fb19c

SHA256
63961664404f38fc2408875dd931ed4e9cf1036d1b3bf4a17754afd03b6d5477

SHA512
ae691ef147f66e6eda594c4d424ee83b87e61a6cef0f5da330965d60e92ab6319208667f43933ec45c2c1f09305e67552c33d19ca33ca06b3d441ce15d502421

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
91b0c914b7eaa5647a59576a0b5147f3

SHA1
4df1ce0c864b6cddd36ce2d2e1a76744dc3eaee6

SHA256
94d86a6c9650a9806c3dc9fa6f2a72ad57980d924f440e3c958f27e1b4fe7164

SHA512
ec0ac2980400c960d81a574934a99360ba0df5d6b12063156d6d15c84b0424f91a4d4478c007d0dcfe5db0aced76e38dc46d4c7e90fc3112ba84d2eff250ef57

Download Submit