815fa8ccb51eb9a32a7ce6ba039fc8bf933f688ce52bf69d69bfa434c4a00e9f

Analysis

max time kernel
119s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b22d746c3f1a3d9dac251f7e782a1580N.exe
Size

2.6MB
MD5

b22d746c3f1a3d9dac251f7e782a1580
SHA1

3f367ea3cc2edec81797d822920dd4009248c613
SHA256

815fa8ccb51eb9a32a7ce6ba039fc8bf933f688ce52bf69d69bfa434c4a00e9f
SHA512

cc7819cc7410db397956a3f5f6fbadafedd11f7a64ee12ac0014310fd0e80e1749de724ff3261dc7c715bd9680e198f9489a4b35b0bb27c0748113658ee8ad0f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpub

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	b22d746c3f1a3d9dac251f7e782a1580N.exe

Executes dropped EXE 2 IoCs

pid	Process
1700	locdevopti.exe
4132	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesYE\\devdobsys.exe"	b22d746c3f1a3d9dac251f7e782a1580N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMN\\bodasys.exe"	b22d746c3f1a3d9dac251f7e782a1580N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b22d746c3f1a3d9dac251f7e782a1580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4984	b22d746c3f1a3d9dac251f7e782a1580N.exe
4984	b22d746c3f1a3d9dac251f7e782a1580N.exe
4984	b22d746c3f1a3d9dac251f7e782a1580N.exe
4984	b22d746c3f1a3d9dac251f7e782a1580N.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe
1700	locdevopti.exe
1700	locdevopti.exe
4132	devdobsys.exe
4132	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1700	4984	b22d746c3f1a3d9dac251f7e782a1580N.exe	90
PID 4984 wrote to memory of 1700	4984	b22d746c3f1a3d9dac251f7e782a1580N.exe	90
PID 4984 wrote to memory of 1700	4984	b22d746c3f1a3d9dac251f7e782a1580N.exe	90
PID 4984 wrote to memory of 4132	4984	b22d746c3f1a3d9dac251f7e782a1580N.exe	91
PID 4984 wrote to memory of 4132	4984	b22d746c3f1a3d9dac251f7e782a1580N.exe	91
PID 4984 wrote to memory of 4132	4984	b22d746c3f1a3d9dac251f7e782a1580N.exe	91

C:\Users\Admin\AppData\Local\Temp\b22d746c3f1a3d9dac251f7e782a1580N.exe
"C:\Users\Admin\AppData\Local\Temp\b22d746c3f1a3d9dac251f7e782a1580N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\FilesYE\devdobsys.exe
  C:\FilesYE\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesYE\devdobsys.exe

Filesize
2.6MB

MD5
e024aa71d5a7bcf3743aa1278ea54158

SHA1
568ce39602290c1c1f4df5f501bde36f12de15d4

SHA256
8273fac3cace5f873ace2b66356cfb40aeb7175762c378b51e364eccfa880441

SHA512
416373f5ac55009e2ae5f67a02e0c1540ec61f9cab1e9a254aff96c08910639e7070f052bbaf3b3fe7a3b15674bf27ede9156d2aeaa3ffe67e8d5d3219337bc7

Download Submit
C:\LabZMN\bodasys.exe

Filesize
486KB

MD5
6dc09ff8e7f4ab13a820592a5f7f04c4

SHA1
0e0e4028103ac0fc41254bf6fefdbb2e4df4863c

SHA256
4a1d1ffef3c6e03f9e16a27466bab645c482028fc3d94b3cde096af7c6aa61cc

SHA512
67906cf3d867acd878a968f2df427755920a48354552f787aabb4f7b27197eeee9c2e14dd83ffa30a4f55a3f0c482c1c38f4a1095d0d0529348128191228c58f

Download Submit
C:\LabZMN\bodasys.exe

Filesize
578KB

MD5
7441b8e33672eb6a5a89cad617bfd78d

SHA1
cbf12e66ed6c48b84ab96277421f84a199c5e223

SHA256
c99d80a01d527cecf5e9a01a70725bbb112f80898be59eaf6e2ff3f53c71b767

SHA512
f944b381faca2f453cef53663fe34587a8bbbedadb2c0f2523e09b20ce4632f745a1eecbd58fec732e3f4e4c2f4382edc7070f1d884d98db3967edb4683fedff

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
c06834c8fc59d86d0f818e3307c85d31

SHA1
eba95899d59eaa27f4d5f2151b5c2fbb331231b9

SHA256
f1913c56553a98b06ef8957dbadeb3939974da9608c3bc0b806285eb5a7a1dd2

SHA512
0643c31908d6f462408f8c0318525d3f90b2960cb676017420b8a47c5018760c6ebc50f3a8e071005ca079f2ed22f9c54ee82338b74c74869563692ed3d27759

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
6319b43cae45e977557fa842b33c27ba

SHA1
377e2b00fc629584ee3fa896e6dd7c37c5bd469e

SHA256
3e445a6d1f5e571dd12128245339b833d339a8790bc6ffeeb7e8626b3d5435bc

SHA512
a2d8909c3df45c2235d7c4386aa8e9658bce0bcd4861e4bdc7805272c81642edea58a901e858061b80b2b9021d03a640f4f7df9c028cb52bdf120e207a114a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
e4d3a4ff7e228d79e05767933a5563b7

SHA1
91cf313bf455e64345d05b770f67444349172f1e

SHA256
1e667b673e7b9e75c08e460676896895e26c58d9e16c4906bf3b61b10a8ac11c

SHA512
9cf7fe2a3d9250a9b46018b8304eb5e5f72306448ef7085a997df28e7c97c9d942724489f3ff1d5157f0a49d2e2f66211bf934932f131b416ebc846d6371038c

Download Submit