879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
Size

2.6MB
MD5

266ea141a56df1ed37fbb1652dc818c2
SHA1

865d0abce2a1b4dbd63e2a66a483251482ae1468
SHA256

879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0
SHA512

b6efcadf54a2b4804764d89ca0a9862e9c462e7c258627a274b68e64836fd7fe1be5c1162384e953c3d9f6fe8da968ff297418c2488d28a3285bd57067d96422
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpyb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe

Executes dropped EXE 2 IoCs

pid	Process
760	sysdevbod.exe
1616	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files6X\\devoptisys.exe"	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJ3\\bodxloc.exe"	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe
760	sysdevbod.exe
760	sysdevbod.exe
1616	devoptisys.exe
1616	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 760	3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	89
PID 3764 wrote to memory of 760	3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	89
PID 3764 wrote to memory of 760	3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	89
PID 3764 wrote to memory of 1616	3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	90
PID 3764 wrote to memory of 1616	3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	90
PID 3764 wrote to memory of 1616	3764	879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe	90

C:\Users\Admin\AppData\Local\Temp\879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe
"C:\Users\Admin\AppData\Local\Temp\879ad8ed6d4f6510f73504957d8316591c615ff418fb5617b10a64984e3f98c0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Files6X\devoptisys.exe
  C:\Files6X\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files6X\devoptisys.exe

Filesize
2.6MB

MD5
7a09527847ee1f4fd0e3a1b07027b5df

SHA1
dcce7baa74fb343ee5ac572983573abb016e4e0e

SHA256
803dd89d36543933251ab977173ffac6e83703603d59a381111179bcb5fa07aa

SHA512
625c5feb0cbf9ac1b1346a251e4c4f532cc526511e3fd94edc8e653fd2b651cea85f7cc4397625944c651e4579008d293b0730cb7c44cb136dbfd16656c9d198

Download Submit
C:\KaVBJ3\bodxloc.exe

Filesize
20KB

MD5
2873fb57ea06e0913c9b5dde7bd73c2d

SHA1
c2794b886d0f3c44e805ffe343756fd81b5c87ec

SHA256
08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587

SHA512
9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76

Download Submit
C:\KaVBJ3\bodxloc.exe

Filesize
2.6MB

MD5
7a70bb5bca6bd9b430b80fe64155dc0c

SHA1
9d145e18a1d55666605c0cb409d6e720631187be

SHA256
4e320e54f8fbfc3b4ec0c5726f64e7bc4aa1d9d8c8ef322389ee52078616a940

SHA512
99f570d80d8f900867823d40b2973cb04849ad0e18a7a7e5ddfa165f4b4849182b3fc20be386567208c6a8c2670d40732696529d725880b433e27144df763dc2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
073ceda85560d4d6ad609c12725b1d74

SHA1
80add5e712a5bf8d7dff814fed26809f3cb9c658

SHA256
f6f870c0ca3aa10ec5bc3255f80f1d67ba87991dc9a57725d6c73ad746f175aa

SHA512
c605f61aa8d23f3ea0186f35964a4837fd91b1a1a22d24f64448cfd7857b687c1293ff08661c52e56bedbd35d73a62634c232a9a39b3163c76a7df71232da911

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
be7efdd69be4c5766ae3a3469caa67e5

SHA1
69018bf1818987f85dc073d307fd844d023f2d87

SHA256
d1a775a6f3c025d50c7038db222d3b63c9697897d2ead713a097c93e0b355929

SHA512
b72e3fcd178c46a590407590acd826ae16480aa116440b8e0dbbe403cf0337e496dfe6b32c9b169fcb45428d413390182289e0e699addb95fd8d340adcc0c394

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
64b6fe1a7a54d8d15410d7dfa708baf7

SHA1
1de4cdf3fc82ba63ddba37a8922c3f668cb2bdfe

SHA256
6c38a1f91bb79a94f9429e744e5db78048ae246eefdb2ef4e1be4dfd2587b6ee

SHA512
3dc7bdc9390c7a21e2f81edeea28ea5c1c95f0c8641b7c755f0068c0b1da67664f8f4b25c598df600f491da9c74ffa75e66b52bb71c76cf2adacb644bd87c739

Download Submit