9979764aa38f2f61c87b720efa4f0b9229d16a971aa633a777e37fe8baf41bbf

Analysis

max time kernel
119s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
Size

3.1MB
MD5

78d28f8d486d3dcbb25d5c0a1868e5b0
SHA1

21190661240cc5803c32dd4c2c8bf501eb715388
SHA256

9979764aa38f2f61c87b720efa4f0b9229d16a971aa633a777e37fe8baf41bbf
SHA512

3b4de1a63f3e32fcc7b1644ff57113b41b6fa072bd2e17d4da0029b2bc6a13b26b58c908a23a50625f1cf7351b4ffa49377f12f1a3c9036f43b2b98f81fd5069
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Su+LNfej:+R0pI/IQlUoMPdmpSpR4JkNfej

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Admin(

Executes dropped EXE 2 IoCs

pid	Process
2440	devoptiloc.exe
4892	Admin(

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBM\\devoptiloc.exe"	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAL\\bodxsys.exe"	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin(
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4092	ipconfig.exe
876	NETSTAT.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin( <<-@-(;-95:3(5\>;?;2@(#5:0;C?(@->@�1:A(>;3>-9?(@->@A<(sysabod.exe	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe
4892	Admin(
4892	Admin(
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2440	devoptiloc.exe
2440	devoptiloc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	NETSTAT.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2440	1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe	89
PID 1628 wrote to memory of 2440	1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe	89
PID 1628 wrote to memory of 2440	1628	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe	89
PID 2440 wrote to memory of 4892	2440	devoptiloc.exe	94
PID 2440 wrote to memory of 4892	2440	devoptiloc.exe	94
PID 2440 wrote to memory of 4892	2440	devoptiloc.exe	94
PID 4892 wrote to memory of 864	4892	Admin(	109
PID 4892 wrote to memory of 864	4892	Admin(	109
PID 4892 wrote to memory of 864	4892	Admin(	109
PID 4892 wrote to memory of 4036	4892	Admin(	111
PID 4892 wrote to memory of 4036	4892	Admin(	111
PID 4892 wrote to memory of 4036	4892	Admin(	111
PID 4892 wrote to memory of 3840	4892	Admin(	113
PID 4892 wrote to memory of 3840	4892	Admin(	113
PID 4892 wrote to memory of 3840	4892	Admin(	113
PID 864 wrote to memory of 4092	864	cmd.exe	115
PID 864 wrote to memory of 4092	864	cmd.exe	115
PID 864 wrote to memory of 4092	864	cmd.exe	115
PID 4036 wrote to memory of 876	4036	cmd.exe	116
PID 4036 wrote to memory of 876	4036	cmd.exe	116
PID 4036 wrote to memory of 876	4036	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
"C:\Users\Admin\AppData\Local\Temp\78d28f8d486d3dcbb25d5c0a1868e5b0N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\FilesBM\devoptiloc.exe
  C:\FilesBM\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin(
    C:\Users\Admin(
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -a
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
      4⤵
      System Location Discovery: System Language Discovery
      PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesBM\devoptiloc.exe

Filesize
3.1MB

MD5
ffe0db4aa7bd4d8482f4f00ff411978d

SHA1
908743af229718b9d56dbd7b916bf8326b468417

SHA256
1ddd266a38bc843e807afc0bdc1f268bae28ff2a40d36dbb9ee7cc8c5979a714

SHA512
9887b2aa218137a3b177ae2dd109d4e8de2bf75535bb0ac827f83020e177afd7923726f7345b0803b5c18416d18533267d39b2cce272c40d835548b695eb8340

Download Submit
C:\LabZAL\bodxsys.exe

Filesize
3.1MB

MD5
9209b85670727f7e3ae46e2dba774d51

SHA1
5f703b19e0dbac405e7122821ce685d264318437

SHA256
aa2da74beaa0861c9d3072ab95a00d329f8f5dd20d7c4a93240d56b6f8a7847c

SHA512
4819c8c2d458847d61f91146324af3df0f29f9dc9ed435fdc7ef42dd633a96ecb4a0a886bb3ff747d63f4a10cd19c9525a83818076f537b3ea32bf10b8005a6a

Download Submit
C:\LabZAL\bodxsys.exe

Filesize
3.1MB

MD5
abae4afb0a28b65cdb8e92a01e518493

SHA1
4e8f884773879949433e6ef147d7b24c56385066

SHA256
07583a710ecf9e8c38dac9c37fc4cdbcc66b604102ec8c571d47c2edd300d0ff

SHA512
ce044b5236f8acfbb9a1e06e8127db62f762767de130d993c26feb8e73783c701393ade71c04c80390f269ca4727701beaa08d31887308c02679ec97da5108f9

Download Submit
C:\Users\Admin(

Filesize
3.1MB

MD5
1da2fca19a540853fcfc9a4ce3c4bf51

SHA1
b46f495cb395e659970300b76235724f2349e231

SHA256
4b512da841e405c9fe671ddd671d5a1699494ee718c02fe419f46be1ec198f5b

SHA512
6a4e5a62982efd285634fbff7af40d884adfc1b8be003d45fb79f6504bebf8e1ee4727c9960099549c04ae1e17def0d8f6a956c4c3a252fad8d30e79426743af

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
92311f32612c1ec4162be2f16245ddd5

SHA1
f1e18fae6cf2e630df7efdb8b47f63e887993d10

SHA256
794f66a62514694ecce56ccd6e591e19da749eb11cd1aa245e94a9060d7d64ed

SHA512
36b49b7b1b48e5d2be2da3c2904186f1fa8ff39202f98088defbd597bc1582586f88b818a54f008c1b925a4466525fd10e26eec5bb3101b328ff3e6c0b2fc1c4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
c6677e67d79385534f13f7f358724bdc

SHA1
94283b49a8d777a2ac967b3f38c1530ba7ee39d4

SHA256
04605c5cd9ce3060e11de4a407b45de24f74085d2107ef3693cecbf6ab2b4e5a

SHA512
ca9c6c208ef60cba1fdd8eeda5fa56b6966999ad8ef1f9e6e6e12766cca00a2b9fb9fa5d394bd651fbbe63075b6664574ca18da58ec9a5240f40ea7d335ffd5b

Download Submit