Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 16:48
Static task
static1
Behavioral task
behavioral1
Sample
167fb4e3a01a3775f86adb1cd3bf06e0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
167fb4e3a01a3775f86adb1cd3bf06e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
167fb4e3a01a3775f86adb1cd3bf06e0N.exe
-
Size
2.6MB
-
MD5
167fb4e3a01a3775f86adb1cd3bf06e0
-
SHA1
c08be65dbb711cca1383adac85058d0e2cc6e391
-
SHA256
8f19a8d237bcf096f87950fa5d0b8b60c409378eedabcba4395045a83ffee2e4
-
SHA512
dd9e46f9223adb5985dcfaec271491f250b745f76fa59d32f3d21163d49cd81b4a2edcc8ed1eebd8932a8d2a3d7c82bdae1c0b3c0f95ea83a25e2745097173b4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 167fb4e3a01a3775f86adb1cd3bf06e0N.exe -
Executes dropped EXE 2 IoCs
pid Process 3536 sysdevopti.exe 1616 devbodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQ5\\devbodloc.exe" 167fb4e3a01a3775f86adb1cd3bf06e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPZ\\optixsys.exe" 167fb4e3a01a3775f86adb1cd3bf06e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 167fb4e3a01a3775f86adb1cd3bf06e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe 3536 sysdevopti.exe 3536 sysdevopti.exe 1616 devbodloc.exe 1616 devbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4792 wrote to memory of 3536 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 93 PID 4792 wrote to memory of 3536 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 93 PID 4792 wrote to memory of 3536 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 93 PID 4792 wrote to memory of 1616 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 94 PID 4792 wrote to memory of 1616 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 94 PID 4792 wrote to memory of 1616 4792 167fb4e3a01a3775f86adb1cd3bf06e0N.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\167fb4e3a01a3775f86adb1cd3bf06e0N.exe"C:\Users\Admin\AppData\Local\Temp\167fb4e3a01a3775f86adb1cd3bf06e0N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3536
-
-
C:\SysDrvQ5\devbodloc.exeC:\SysDrvQ5\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD50f1dd959d43971bf7f79671305e25a3e
SHA16d8e0a16be92cc3f8829972a8f7c88ea3b37ed55
SHA256e2062ac20c5890c0dbf890e43b316cea0da64e2c7e801a4c803faf7642f715ca
SHA51204077a2a74d996c32ac387c8b5e877f1dbc8c0222ec32d484cee13b8913e5651839cc5c68091c96037c6a765cc4488e9bf08f5316ab9256cdbcb3fa5c7307623
-
Filesize
7KB
MD584c3a9ef71c6c32cc10faa7a3122fe8d
SHA144094cadec949c065d4321a4cb7bb4c11cd999f9
SHA256de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b
SHA512f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a
-
Filesize
1.8MB
MD54d257e02e7202584a136911273b0a85f
SHA133f0601cff1e0d6fb02861b9594d96c6ad97b097
SHA2561d3853a8827e24c6302f23383728cce1085fb38a21e2530aa18d10897121b866
SHA512e561f544f9457ce5d8001a1ee8d11bae93fe66343e9ccaab0e0e01d26fd1b2a25427d5bcd35e6ed7d9dcdfed308f477212835f16e8f60149fa88f6cdeb788df8
-
Filesize
2.6MB
MD5c3f8034306d4aaeff67f2c92c28a706a
SHA1a6b2451fc892e6f8ec1506c428405b50c9c0d2c1
SHA256307e4194c73510467242592d46c722d42da6e5e5b15982cb980cd2c384dd40ea
SHA512647eb1885162754f3622edd6f95a43f9d8b8c7cc1c9d8de100e33233fcd8892ea6db089c35cebc39e5beaef82ba3ec44cb76d42b6ff5adf5a23911ed6448aed1
-
Filesize
207B
MD58532edda77eb34500e313d18544f8bd6
SHA1e679ff73e8332e05d553317c3a4a6a39e7636b2a
SHA256075b87b63dfcdf62f0081bd6dcc5b7f090905ad1083787d9ed2014a3a0535e97
SHA5129826e3e3011e596342bb02947c5725a2b31583a95ca5b6547e96f266616beecee53f357736ab5f0658a95061050449d278bf2e7fda1d7f3c70736a96206c7713
-
Filesize
175B
MD541a834919133432e300d7ad11b0b8b38
SHA144afc6c50bc29736fd317b01130191e6ecca979b
SHA2562a35d6a5139f15baa0b47f7d0f5eb643a12e054804fc8f615fed92f9b4441b0a
SHA51240335ed0b0194287006ed04092742c18f74532e4d124372e2b54b58dacead0591e5bfc9c3657ce264ed71a56dff49499620bebca4d180ef46ad0e67350f0db55
-
Filesize
2.6MB
MD501874439a6f0ae97f43fb3474ba2203e
SHA1bee50e79cf5ff6dc0b3f14eda2b778dbdccc89f1
SHA256cbcd408a46de29e9395ccfc2acd185040e208c04c4c9f9965ef0c25b1fb5dbb3
SHA512963f816d309deb4e552169b70481c83de814c74b8e39e0f4e5d6c145cc790fa20ecb5f46f72c39e2e1b478b7ebc21a43977516d0931023b68f03c9c785176877