3e507aa859d8d9e9cb2b4076d721842aedf3f915a6e1a5c81885c38b567c86c9

Analysis

max time kernel
119s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 00:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
Size

2.6MB
MD5

1ce5851fbfb2ef9bec7d3a706f6fda20
SHA1

cf109b892942fa1cd02cd29088f4a9beede8d6a1
SHA256

3e507aa859d8d9e9cb2b4076d721842aedf3f915a6e1a5c81885c38b567c86c9
SHA512

5a11212429b8a2371a6fafa2d20b33c7d80a4bd75a2fe3ddda2b7cdf05b5d20d58f89693187d9073822287ea6bcada495f0c700b9517615ad501ef93c134198c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpEb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe

Executes dropped EXE 2 IoCs

pid	Process
1208	locaopti.exe
4328	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe85\\devoptisys.exe"	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHA\\bodasys.exe"	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe
1208	locaopti.exe
1208	locaopti.exe
4328	devoptisys.exe
4328	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1208	1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	86
PID 1140 wrote to memory of 1208	1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	86
PID 1140 wrote to memory of 1208	1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	86
PID 1140 wrote to memory of 4328	1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	87
PID 1140 wrote to memory of 4328	1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	87
PID 1140 wrote to memory of 4328	1140	1ce5851fbfb2ef9bec7d3a706f6fda20N.exe	87

C:\Users\Admin\AppData\Local\Temp\1ce5851fbfb2ef9bec7d3a706f6fda20N.exe
"C:\Users\Admin\AppData\Local\Temp\1ce5851fbfb2ef9bec7d3a706f6fda20N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Adobe85\devoptisys.exe
  C:\Adobe85\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe85\devoptisys.exe

Filesize
2.1MB

MD5
63af4b80bbb1dc72de233ca7b7c9ce8b

SHA1
4af2cbb9d1f836bdfd54a8272d8b02f984b11d18

SHA256
26917eda21128f7004b0befe332a0ec9cde4f40aaed6a2634f61797d1f793b8a

SHA512
fd3c5a7fa1f9f028b1857fd171c3d6d10f2d42573c6fdb88ebf67912c462a50cba7adef7b28a0a04ab78d75ab45cbf9e3c3c403f40e7cbfc01893a7b4a1b242b

Download Submit
C:\Adobe85\devoptisys.exe

Filesize
2.6MB

MD5
f2433f72795fe9c7ecb0ff44998ea34d

SHA1
fa5c757e6fb0a571454a624eb1977f16e83dacd7

SHA256
155594852614544bf0a96eaff9f3e03ac9cf9857469529d4621862b0a872a600

SHA512
8d13d93379122db42639b27df0d3c2f5038c02f1a7a1a0dafe13695a54bcd786e67abeb70ef61306f7e980639b9f70385a718cd68f2af59adf48b231394d8de5

Download Submit
C:\LabZHA\bodasys.exe

Filesize
2.6MB

MD5
27ed8ad3c6afed601115f19f6367d5c9

SHA1
f7b01f3cca2d8c9c7437d16406cf9875277eeeb8

SHA256
9fb2b73b07ae1c737190986ba43f980aad342b5aada4a62d5c9ed7467dcbb455

SHA512
4bff6fb5dd8c3488b6a6bfea493789e3981e0d7d79100d48a6ee555afe21c6c73841842ccc41e895e461aa6e06cc2ad981adf12733f1e6c226862e33ed0aa7b5

Download Submit
C:\LabZHA\bodasys.exe

Filesize
2.6MB

MD5
9b8fae18413e16752f92cec3cf12d8ee

SHA1
b383cf56153e5124bcb2a1a5ba7a29ceab0a7513

SHA256
3363779f9d4aeb1dde3322345101bcc5cc5f3d63ff97a487a982d5f3e2aef25d

SHA512
0aa07b00d423ce905556f8107e488b8f21a03c149155359a06911260c684ba2123e52ef82fb4bca6e03480a930e27e6f5a266b3e31d1ea6f95032006a346e56c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
0b297564e3ac603a4d2e533e5be62b14

SHA1
28a88c5dfcbc2df4e865123a6a168bb41fa5fdec

SHA256
252dc934d44a0f9d7fbe56180d8d7c26dae4e5a6824720ccaac0bd3329ad003e

SHA512
c26d4b9e1295de9c963f433c4113b394d1ec3c367c502b74993ac3424c450929657dba29ef19d05ed084dfeed23f850562c24d2f8cc7634f0275e20ccc3ca3d0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
3ea512ff02c7fc3878b778be4a8d7495

SHA1
bf981d5f48122264fd75213c5173369b3f17fa26

SHA256
06fa6234940ecfe6097659cd4f538445161d011810eeec815c1f4872715a7238

SHA512
4debe4e4f7249e739f670b37a3c9af81eb5c6345ec9c4d08218645a7613f03b8f482f42450b30e0959c09fa5d91d2cc351ddeacb0eee3ef121d4b6cbace3da64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
27a912dabe0feb4492a37017a91ce9df

SHA1
faf066b3cefd1f612c91738eaedae52b2f984c0c

SHA256
2372136b13276b6d3583bb50ac5d410b7894a9d32b71acce288b0d9f49c6c709

SHA512
a01bd5ce92054901f0dc682e963d237263b2b352d3a6cca8df145202d7b9e45de58cac9054f8b7a82103530aa14adb554dfd6b7836ce7245d6dfb37f838669c7

Download Submit