774d7b1dbff12b4ca8d22a3f4542cdafda2b390060905d0f5dec3c042df5f5bf

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
Size

2.6MB
MD5

9ce45bfe76f2151b5cc1f71e4d5b3790
SHA1

d7bf4f015d2e29040c790de8b268ed0ef4a108b2
SHA256

774d7b1dbff12b4ca8d22a3f4542cdafda2b390060905d0f5dec3c042df5f5bf
SHA512

5e0babfe1a9eaef2f5ec9ba459b9ad165116d991fad95fd763f23e14e51bab8471315df75ccec0c9f796f2bf7c1cf7cadde1f6e87226613c0ddec8cc42de8e8f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe

Executes dropped EXE 2 IoCs

pid	Process
4420	locxbod.exe
3352	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVD\\devbodec.exe"	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6C\\optiasys.exe"	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
4420	locxbod.exe
4420	locxbod.exe
3352	devbodec.exe
3352	devbodec.exe
4420	locxbod.exe
4420	locxbod.exe
4420	locxbod.exe
4420	locxbod.exe
3352	devbodec.exe
3352	devbodec.exe
4420	locxbod.exe
4420	locxbod.exe
3352	devbodec.exe
3352	devbodec.exe
4420	locxbod.exe
4420	locxbod.exe
3352	devbodec.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
3352	devbodec.exe
4420	locxbod.exe
4420	locxbod.exe
3352	devbodec.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
4420	locxbod.exe
3352	devbodec.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe
4420	locxbod.exe
3352	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4420	4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	87
PID 4552 wrote to memory of 4420	4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	87
PID 4552 wrote to memory of 4420	4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	87
PID 4552 wrote to memory of 3352	4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	88
PID 4552 wrote to memory of 3352	4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	88
PID 4552 wrote to memory of 3352	4552	9ce45bfe76f2151b5cc1f71e4d5b3790N.exe	88

C:\Users\Admin\AppData\Local\Temp\9ce45bfe76f2151b5cc1f71e4d5b3790N.exe
"C:\Users\Admin\AppData\Local\Temp\9ce45bfe76f2151b5cc1f71e4d5b3790N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\IntelprocVD\devbodec.exe
  C:\IntelprocVD\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax6C\optiasys.exe

Filesize
2.6MB

MD5
158a0382c1238e3c0389c1c8017e4308

SHA1
9aa8d799ac6fe7e65b12e1fd2997a4071eee9003

SHA256
31b9528a1f23362af8f759a42bbd148f0a85d4380cf53f9262dfb6ea1872d1d5

SHA512
57ac9284a82f80ed9066e3f908d61f456374935bd0c2fac9a54941991e3e3a6811b13c1304f4e75362049a81ef79c385515cfcf030b736f66d250459dd2aaab6

Download Submit
C:\Galax6C\optiasys.exe

Filesize
2.6MB

MD5
999dc895b2a20fb3f995868c2fe85e42

SHA1
39530b9e2066cc23cb446ca8726247858d7044a4

SHA256
da5336f34ab6e1453b0ac036149568c38b1a027e1b7361c85273cff48843bf0d

SHA512
58394c6a63a4924b410cb0044bd814f7c0f6eb1b19295fec31d337a1efe9b6382ebfdc0af41302637f4396ad12cafe458ea71794a98018cec15d25724fc55111

Download Submit
C:\IntelprocVD\devbodec.exe

Filesize
2.6MB

MD5
83c525d9014bd186b3399f8c288e3aa6

SHA1
04224b0c4d5cb70f12f6767dd7224d5c2b2f4eba

SHA256
9cf1ec8da4e31099b8797a38cd657f1d6eafa358a6abcbc413455c5fbd483b92

SHA512
e80252e76e4fbbeea9b8cf0231e9e96c4d75279178b439e3001e3f49e22ecbba380e11271abf1d867e967b2210f8991b3ff3dee3a540f760bf492f8f5540ad49

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
afecc5dd4438ca8e091607332f53bd94

SHA1
9e74a3fbb78a8057f3449811749ff40e68078e4a

SHA256
62ada75fb2942d675196ff94d002faafd547799346f02a24bd468e3200795e9c

SHA512
4d7b616cfc5066765df82cd44a2264c60f0ade1ff45dcc543a840f30d6f551445fa12bb0f5f38fb664f2cff136e8560842eb383308ae800140403ede65f0576d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
a6c827a4487cb263cf47a9c8b4d2690a

SHA1
d06989aad6ee86af981f9d5b936c993705c1b251

SHA256
49cc8ba2c7c2889c734315b82cf234be65ec2929e8618bfa715797f690fb6819

SHA512
3687d4f2a1b0602d018892400d2e0a34c15f1786dfa71239454475ce4fd1c2f8c36dd528c7726e30af89bdf5f53d47f89696e35c8bc1b0a3bc6d35adf4fda50b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
ef27347bfd66fbc2a03573df94c3e591

SHA1
33a9b54ed42c6c5c8e36ee00753b83c059e13a03

SHA256
3ed8b3a336d3fa6868a255365d2a787beaecd2c9c871145eedf77c560dca8a20

SHA512
c4f4edac5f6d0e66b3d4be107fdb063a71654c28b62313139fc63692943fe1a0550cd2fdd99bdb15d19ea8eb3b1e91f18d348f1ab8fc5be48f15c12bf32fac32

Download Submit