15b765faa8efcc2dac8c42f9126ba9ee3aacab335d6ac28391be0bceff3a6b8c

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b6e821e9a2b645f25c1ba0ce250f40N.exe
Size

4.1MB
MD5

10b6e821e9a2b645f25c1ba0ce250f40
SHA1

5888930755f20a01dcb04851018e246ae750816f
SHA256

15b765faa8efcc2dac8c42f9126ba9ee3aacab335d6ac28391be0bceff3a6b8c
SHA512

a59f3f13d5e3363fe6f1d3c7605e1c6cd427abe4a0727510c402733232d1a55637106cf1a87bd787060a86467feaf813d9fe5d721718c174f4acb96907b5b569
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	10b6e821e9a2b645f25c1ba0ce250f40N.exe

Executes dropped EXE 2 IoCs

pid	Process
2784	sysdevbod.exe
2652	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe
2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQC\\devoptisys.exe"	10b6e821e9a2b645f25c1ba0ce250f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint81\\bodxsys.exe"	10b6e821e9a2b645f25c1ba0ce250f40N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10b6e821e9a2b645f25c1ba0ce250f40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe
2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe
2784	sysdevbod.exe
2652	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2784	2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe	30
PID 2660 wrote to memory of 2784	2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe	30
PID 2660 wrote to memory of 2784	2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe	30
PID 2660 wrote to memory of 2784	2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe	30
PID 2660 wrote to memory of 2652	2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe	31
PID 2660 wrote to memory of 2652	2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe	31
PID 2660 wrote to memory of 2652	2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe	31
PID 2660 wrote to memory of 2652	2660	10b6e821e9a2b645f25c1ba0ce250f40N.exe	31

C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe
"C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\SysDrvQC\devoptisys.exe
  C:\SysDrvQC\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint81\bodxsys.exe

Filesize
1.7MB

MD5
cdd97b53b5ff1c4c91ddadde33a72d19

SHA1
e874795b48a2225d7a2708576fd4d0606378c736

SHA256
438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

SHA512
e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

Download Submit
C:\Mint81\bodxsys.exe

Filesize
4.1MB

MD5
24f288761a5e902cde4280f5f4c86856

SHA1
d42812a46672a2f4adf90480c64621d5fecb1a34

SHA256
557dec4b16fe7c956c02105fb568ef2a331dcde83a02c09263a0a2db6d89ee85

SHA512
da09db27bd5cb957db780c5bbe2cb9e097ceaafd0bdbe091cf8f700eae862f7c4ed729918f13d6957aaa321d87575341acdac3ff38a42d00b850889936e4e30a

Download Submit
C:\SysDrvQC\devoptisys.exe

Filesize
4.1MB

MD5
5a3013516f67d2e51fe961cf4821ac84

SHA1
f6ad5af495fba9d23aa808090a5c3e61a599c79b

SHA256
c0cffc865b3329df8aad2b4ce699fbb69cc7d8b123e3ad107584148af40f8062

SHA512
3c3f721c969d21689662f443877ac206f12f4dd47cd205c10010ec54a9e1c73e51e3b12a882f2558d1cac50bde8752140033ffdccceeb47ca7e7090094caf4d6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
b631c0293114bf22024366a560da0e99

SHA1
0e5552fc091bc2d4958cb480afc670ebd6921a71

SHA256
ccb6128b00518b7a64851fc5a7b616c96c0016107b50e294eb4c5f868a3632b1

SHA512
eafa7f9e6643cb82a8c294f6c8c82caecde541d7c136c5b6c52811eb42356f833aa783f57394f04d2a9eaf5eae64feeac646f4ae8af3c4dd9f2fb97b9c5c0ef6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
07f5887d93be0c496d5f7b8f29c3122d

SHA1
b31e14d96cdd92a482d34b512095d995d2be7473

SHA256
9307dd779ae4a00bb67c7cc92fca934326d1ed6dd35cb708adc6ce120fd3b0ca

SHA512
99a3cd9304b944fb6d4a6367607101d920e3332ae50411e24c0206c71752b0c1bff980857323818c7945f206bf8193bdf1a43bf6fdc9a913f2fe9d8f07e950a9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
4.1MB

MD5
bd8fd2ae7ca7caf572b728cba7ed317d

SHA1
92a983dc282809426d61426aec58923ff39a5cc4

SHA256
db66ea34d3dadc83ede66a60073a6125144470d2593b2ce5edd5cb1282a20382

SHA512
4ee4107fba03689ed05b95d23fbd7f16c53d46e1332aed323af4bdb7733fc0e000ef5595dc8b25e92543beba43e4f6599e24e024620ceb08ee414b0ed4e2f944

Download Submit