d49f5769bc8da6c5747d91ab13d3458df0cb9b154b2c865b70f2a868414e4718

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66a967865d0b31b15c92358f17b378c0N.exe
Size

2.6MB
MD5

66a967865d0b31b15c92358f17b378c0
SHA1

668a9e142c13dc45dc467a7286f25ea30906a7e3
SHA256

d49f5769bc8da6c5747d91ab13d3458df0cb9b154b2c865b70f2a868414e4718
SHA512

8007f34913379a579e86f533369688e0e12eccb01df0b52b2b4cc15f48ca3e1ca46be36e569bbf0229916f2a1777304be441e029a134eb80c6ebc7dfad5dea4c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUpVb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	66a967865d0b31b15c92358f17b378c0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	sysdevdob.exe
4152	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGL\\devbodloc.exe"	66a967865d0b31b15c92358f17b378c0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDL\\optidevsys.exe"	66a967865d0b31b15c92358f17b378c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66a967865d0b31b15c92358f17b378c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	66a967865d0b31b15c92358f17b378c0N.exe
116	66a967865d0b31b15c92358f17b378c0N.exe
116	66a967865d0b31b15c92358f17b378c0N.exe
116	66a967865d0b31b15c92358f17b378c0N.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe
1724	sysdevdob.exe
1724	sysdevdob.exe
4152	devbodloc.exe
4152	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1724	116	66a967865d0b31b15c92358f17b378c0N.exe	87
PID 116 wrote to memory of 1724	116	66a967865d0b31b15c92358f17b378c0N.exe	87
PID 116 wrote to memory of 1724	116	66a967865d0b31b15c92358f17b378c0N.exe	87
PID 116 wrote to memory of 4152	116	66a967865d0b31b15c92358f17b378c0N.exe	90
PID 116 wrote to memory of 4152	116	66a967865d0b31b15c92358f17b378c0N.exe	90
PID 116 wrote to memory of 4152	116	66a967865d0b31b15c92358f17b378c0N.exe	90

C:\Users\Admin\AppData\Local\Temp\66a967865d0b31b15c92358f17b378c0N.exe
"C:\Users\Admin\AppData\Local\Temp\66a967865d0b31b15c92358f17b378c0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\SysDrvGL\devbodloc.exe
  C:\SysDrvGL\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintDL\optidevsys.exe

Filesize
2.6MB

MD5
f0fe675b1a3d5b045a1dc623600cc764

SHA1
5722b951d42c195c8c53db85fe5b170e0ce17779

SHA256
2457515b9d86f432453e1b7066e75c0ec2ae226cb609f9b9bcc27ece9dc8d09c

SHA512
5edb82dcb707fbf312abf1391f1e56ef0312991095b75abef300dd407d81f239e15fa5c8c904ebe4a6263c855e4342333bacf2f57008b5e6e56a16e3049a0088

Download Submit
C:\MintDL\optidevsys.exe

Filesize
9KB

MD5
069c7d5ebc20ead441519fc2807acdfc

SHA1
94eb49acfddc6450c4810d85271299b49f964a2a

SHA256
af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f

SHA512
91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9

Download Submit
C:\SysDrvGL\devbodloc.exe

Filesize
2.6MB

MD5
28e8eae28af935d7fcb9c2d510f1ee38

SHA1
7260690161f53e25bf3302849c7898be18b7c988

SHA256
664952939f9838b1b7654041bbf8216745d0c9a7c5a1e687acd21c62ec612865

SHA512
37b6e571075dfe10b9ba680c44f3840d404466e9a29d5f266816182f4ade01ec64bf43e79cc2c937db2f286783b68826b3b846921176cb15a3161d0bdf26d3fa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
df19158269d54b87c22c6acb6bb6c284

SHA1
4ab43a04a294757c183fade02b38d5bb9f9af75c

SHA256
de1225d25e2b4369153a966edb38dde1c50b1b70c3f62d51d032c957d9848862

SHA512
50bd921d1730497908cfed567d2df428f7d04b68deb1aebc5f4df4f0ba6b01671de5091d023c02c8bade17aaf74c68079aeedec9d9e8ad14e67d4bcb0c5f9899

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
6139503140f580709af66cd14e1e0223

SHA1
e07c62ec80c4d0bcf6aade0352bab8c7acc09dd1

SHA256
58a7b34619433eae92dbca7a6232d42b9eb69eeb9993b2deca7646e82daccca5

SHA512
fb05be1fef2faef5c2d0900690d9653b384bea302d7ce759f5c60e9a5cb16aa31ba144a45ef5248c216f2e8379f0eedcf355b7b7dbdd85235a8dcf0103e0265c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
096f258672983cfab129baa3fd6ab176

SHA1
cf2c5e9d6187e2afaa24923271840420e4194a87

SHA256
9d332ae514b44094b8b0539d7dd0b09db9c7b303028efaadd420cb18d7adab88

SHA512
c63ba49b7f8e0b51b02d1cfa31be382f44e22eb01ea1cba68a14b4f4a6acb0e46e65456f751a487b6fc2c9e06a98c44bce624bf7f2a4ce03dc31532b785b7949

Download Submit