d496a7f6ea9defa31f3698fb04beae5736f21bc5d5af8f8bdc6e4b05fd6b8add

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe
Size

2.6MB
MD5

44e8e9bfc0cb9e4c19ee3fe427f4d550
SHA1

9ce4eb4d3b3c8b2eca07b24af81ee00ef0d993b2
SHA256

d496a7f6ea9defa31f3698fb04beae5736f21bc5d5af8f8bdc6e4b05fd6b8add
SHA512

20bd20cf309ddaeaa31a3af3afbda3e23100513d412e2a8fec9f32d27938f4681cfc623cb948b71c6fc9303280e7958b6a854825d5cfcefae99f8c2f6dfaf959
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUp9b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe

Executes dropped EXE 2 IoCs

pid	Process
3384	sysxopti.exe
5096	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2X\\devbodloc.exe"	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAM\\dobdevloc.exe"	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe
4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe
4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe
4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe
3384	sysxopti.exe
3384	sysxopti.exe
5096	devbodloc.exe
5096	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3384	4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe	88
PID 4404 wrote to memory of 3384	4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe	88
PID 4404 wrote to memory of 3384	4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe	88
PID 4404 wrote to memory of 5096	4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe	91
PID 4404 wrote to memory of 5096	4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe	91
PID 4404 wrote to memory of 5096	4404	44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe	91

C:\Users\Admin\AppData\Local\Temp\44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe
"C:\Users\Admin\AppData\Local\Temp\44e8e9bfc0cb9e4c19ee3fe427f4d550N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- C:\SysDrv2X\devbodloc.exe
  C:\SysDrv2X\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBAM\dobdevloc.exe

Filesize
88KB

MD5
831cb9a12fe0bec99e790c9ed16c417b

SHA1
68da39deda05c8e4f83190c504df0bcbe31919ae

SHA256
002ad8ca79efbed7c919a99d2aa2fb34e7687bba57337aee8c8885fb5be32941

SHA512
33daca5a1920e10f9664df8fbeca9898f6567672a1a6c64b818c8a579b6bacd477baf07ca894819072a52d2c8b0ad4043722e3f0dec19e3b50d742a5a58bde1a

Download Submit
C:\KaVBAM\dobdevloc.exe

Filesize
2.6MB

MD5
020231df7100f89618600eac7af13158

SHA1
62428be58bdce38ba64936d5f30754d89620dc2e

SHA256
6ced4b7443d4232f11a16d189268e9d7f794265571eba778213b4bcfdcb39cd7

SHA512
ad46e1bbf0a6af3cf3a119022915693fe9cd6537926a997bf0c521f614aacfd976704c03fbdd95c80bc101d3849b3640990836d0e88977d99357fdf1628146db

Download Submit
C:\SysDrv2X\devbodloc.exe

Filesize
2.6MB

MD5
e2b55c4b4f2ff3012b60d158ed150b3b

SHA1
c833a4357103df86c51f555002f9d78c5fa97450

SHA256
728cc92f99111179bcd1d5ee5542cf6ea0337fc76b303445c4a6ac7930612c1f

SHA512
fa5efcde029a3bf6ee0f4bf7af8946f158073254659deda47b174693177ca420e822536ff71ec7253cd9e7b7b9928bed1b8fdf6259609d7d17457c0fdce82ad0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
dec1734131483d8e78793493df153f42

SHA1
89787ee6494da441bb4faaea5a5dec7a119b181e

SHA256
5d898f29c107e3aee3619cea59cbff1c386b35296483cde181186475a9b66589

SHA512
1b3293ddfb78432ac7ed78b207a79917721fdfb4348d900643ef9a9e430e5fec3a9e53ac8a9981b0b400582a617effab52c2de5cc11cd6b60cc96dd2065e5bf7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
fd8b0e2c5a30cde64ecf093ed5a88148

SHA1
f5f3e59f56a6eaaa742e9ccd86ada18bf73c6d5c

SHA256
c5be8c20545a88606d78bd8747aea0fb46b4aa42bb0cdf95f4c69f83e988d77b

SHA512
ae72a50a0cf4bd18c133d39da29744da90c97cf4c488800d4884f2e8949c10ae6fea273eb9d62d7e2e9b1030f3eec26d3f0aaf8215152084f41432f7db6d7aef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
733194d82c25de54002a8c046c2091d9

SHA1
6a9ebd0dc44fd7f5e0eca2b1061b670100e6f29f

SHA256
8c99eac22cd17ef8eec7dc143f6d702b69c9f08aff9484f9dce7d84a2df45bee

SHA512
1c3a978f8bff85860921d0eedc0aa2387e204be045702347549baa5a417bcab0e13d5851a8313e8b8a6e2ec162136bc796719f9e9a47888254465a2f809cb707

Download Submit