54573e872ec1d6a95a26168764502dfe7473e82e96bb9f84150f950bd8c1bdb6

Analysis

max time kernel
119s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2854cd148b95df1a4acae35eb5b47690N.exe
Size

2.6MB
MD5

2854cd148b95df1a4acae35eb5b47690
SHA1

f59d8558889a7fa85a65c657c693e3968a099d33
SHA256

54573e872ec1d6a95a26168764502dfe7473e82e96bb9f84150f950bd8c1bdb6
SHA512

d554579e3d75f5539484b32cdcde211652eb54648a2fd2079a36e5e6068fe7fff7f534ecf04433dfb2488c6cceae866ef2898b6b726f1142fe9835993a595c66
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	2854cd148b95df1a4acae35eb5b47690N.exe

Executes dropped EXE 2 IoCs

pid	Process
2600	sysdevbod.exe
1056	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNR\\xoptiloc.exe"	2854cd148b95df1a4acae35eb5b47690N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxWM\\dobdevloc.exe"	2854cd148b95df1a4acae35eb5b47690N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2854cd148b95df1a4acae35eb5b47690N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4380	2854cd148b95df1a4acae35eb5b47690N.exe
4380	2854cd148b95df1a4acae35eb5b47690N.exe
4380	2854cd148b95df1a4acae35eb5b47690N.exe
4380	2854cd148b95df1a4acae35eb5b47690N.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe
2600	sysdevbod.exe
2600	sysdevbod.exe
1056	xoptiloc.exe
1056	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 2600	4380	2854cd148b95df1a4acae35eb5b47690N.exe	89
PID 4380 wrote to memory of 2600	4380	2854cd148b95df1a4acae35eb5b47690N.exe	89
PID 4380 wrote to memory of 2600	4380	2854cd148b95df1a4acae35eb5b47690N.exe	89
PID 4380 wrote to memory of 1056	4380	2854cd148b95df1a4acae35eb5b47690N.exe	90
PID 4380 wrote to memory of 1056	4380	2854cd148b95df1a4acae35eb5b47690N.exe	90
PID 4380 wrote to memory of 1056	4380	2854cd148b95df1a4acae35eb5b47690N.exe	90

C:\Users\Admin\AppData\Local\Temp\2854cd148b95df1a4acae35eb5b47690N.exe
"C:\Users\Admin\AppData\Local\Temp\2854cd148b95df1a4acae35eb5b47690N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\FilesNR\xoptiloc.exe
  C:\FilesNR\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesNR\xoptiloc.exe

Filesize
2.6MB

MD5
9c41ae9db27a74419d50e1af0a4ba211

SHA1
3c2518bae51f820485aab7a57230f14c712f7667

SHA256
67ed8f8b8b5b3838d515f724ad0799d0e324e8ae9b034900e57ebded4ef183e1

SHA512
2a836099598330ff11b7ce7ee775641f653c2282a632733a22ac1dc242c579480cdcd1f0108201cabf4dd017862faa7455f196a544aa7fe1f5958239c7a97625

Download Submit
C:\GalaxWM\dobdevloc.exe

Filesize
2.6MB

MD5
43af816ee2e1fed5628dd9a426f6b2aa

SHA1
fdc00ce7a4cd36e6a387b1a5be20b27c244d8c65

SHA256
e37e504e779b8c7a08127520594abfedbc78e1274691bf7e567a996e37506155

SHA512
2a5011a83597dc4eacedd19a923b0949261949bc7f2263349581df301d8572824859a77332af4ddf49bc01c6dd47a91a378ad2b4c92840e7567ba61295fbc695

Download Submit
C:\GalaxWM\dobdevloc.exe

Filesize
17KB

MD5
de7175166b9ff0cdd866fdc4fd9b11bb

SHA1
26ce9e5dad36bac744ae30b037c9538afc41fd9c

SHA256
3227f9af271ae26f02716cbbbd5e8a0b4a176449b90b8f9212a982bc1aff2679

SHA512
20bdffd0a3c54460e8cdc1d24ed8f302626a9e162692b0b345c002b73ec4b8cbf259ca56ff2d4f92a3ab43a45d6db8b5b1a876295cde75434e22ba77f6072523

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
eb4cae3bc5852f21237154396236447c

SHA1
23f421240bed0606723bb0915494f147518c156b

SHA256
b5c97f75807d3027345f191dc04514c750590a2c2326ccead2c1026f6536e147

SHA512
ca232a380558e6c82dd641cc17656f54f02d17adda6512f8c375f8f617dcdc43d682523ffdfcb0c479838b097db28ea3ffbaf5ae82204f7a232155667d87164d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
4c8ba3c9b5f32e26b0deb37cb62af6df

SHA1
7537f743f0b0e52aaba8916e5d0e8b824d71af0b

SHA256
9a416d144cd755b63273698c74d059fe8b6a75ee6f4ee545f296a5ea9f399c44

SHA512
ed3426d75174966803daf32ad506169b3113574d5a7e466542873369b3962116d79fd5cbe1352f202d936f8ca02a75da674c7dd74336ba7ff419830ad6394f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
b4a5537c0ae99d2ffa422b7ffdfab218

SHA1
e4168f9661cb3ce5fcee669996c8ee8c7733a78e

SHA256
1b31bc82c708b314bc9be62902e7c4d436c9666854f46c5bd11fe64e0a0b47c1

SHA512
aebdec0bcaa0360cfc5f3bdb8a4740c74c0b53b74aa1f4c914a01eb41c7acba19ef3d78136d681738071d3944f2f5cc1f2a2643ba6681e9be3a5bb9f96243de0

Download Submit