cca47cd581e73883ed369432e24b3ed65126ee119c0a270b9a6b14642be5d4f7

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

403613916f6088f2d9f8cac28c754ec0N.exe
Size

2.6MB
MD5

403613916f6088f2d9f8cac28c754ec0
SHA1

1b8831aa4c873a9b2737d19fa5d9e66e8e8dac54
SHA256

cca47cd581e73883ed369432e24b3ed65126ee119c0a270b9a6b14642be5d4f7
SHA512

8788527bea28a87695318462595df7c9ee1bf01f1a39fc9ee39da42c4a36d59d9b811485b1e33f02b66fe889659f0f3a66e6ca15ae6dbfbd566b67b0d8f41956
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	403613916f6088f2d9f8cac28c754ec0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2728	locdevopti.exe
2836	devoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	403613916f6088f2d9f8cac28c754ec0N.exe
2664	403613916f6088f2d9f8cac28c754ec0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSS\\devoptiloc.exe"	403613916f6088f2d9f8cac28c754ec0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYL\\bodasys.exe"	403613916f6088f2d9f8cac28c754ec0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	403613916f6088f2d9f8cac28c754ec0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	403613916f6088f2d9f8cac28c754ec0N.exe
2664	403613916f6088f2d9f8cac28c754ec0N.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe
2728	locdevopti.exe
2836	devoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2728	2664	403613916f6088f2d9f8cac28c754ec0N.exe	30
PID 2664 wrote to memory of 2728	2664	403613916f6088f2d9f8cac28c754ec0N.exe	30
PID 2664 wrote to memory of 2728	2664	403613916f6088f2d9f8cac28c754ec0N.exe	30
PID 2664 wrote to memory of 2728	2664	403613916f6088f2d9f8cac28c754ec0N.exe	30
PID 2664 wrote to memory of 2836	2664	403613916f6088f2d9f8cac28c754ec0N.exe	31
PID 2664 wrote to memory of 2836	2664	403613916f6088f2d9f8cac28c754ec0N.exe	31
PID 2664 wrote to memory of 2836	2664	403613916f6088f2d9f8cac28c754ec0N.exe	31
PID 2664 wrote to memory of 2836	2664	403613916f6088f2d9f8cac28c754ec0N.exe	31

C:\Users\Admin\AppData\Local\Temp\403613916f6088f2d9f8cac28c754ec0N.exe
"C:\Users\Admin\AppData\Local\Temp\403613916f6088f2d9f8cac28c754ec0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\FilesSS\devoptiloc.exe
  C:\FilesSS\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesSS\devoptiloc.exe

Filesize
2.6MB

MD5
b51b5c3170459a61faca1e6274eec3d6

SHA1
103c1cfde2345a5bf698fd70883bfffa16a9d5ea

SHA256
20a2914b3d4ad2243346bdea69bb5eea8de923536984a96460414f3cc1dca14a

SHA512
6134d8023681eb87b672e97800cb821090e4be73d699c305964cc4aaf95d4c4838b4e35cd192479bb3eb88ce11c2874a9da2f94132ef00f0921db073a1eff547

Download Submit
C:\GalaxYL\bodasys.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\GalaxYL\bodasys.exe

Filesize
2.6MB

MD5
f5dd0536b6cc0b6ace591e4cb93422f3

SHA1
b8d9a7664047dbbe11711276389eb03d03a0c296

SHA256
7f272bb3a4125575410e038a022004c422da7f4a3a36d45c5559f3e2d76efe2b

SHA512
1498b339021618e3169e90a597971a6a0f11983f5801c99017ebc5e13bde010984a69a72de2d4f0cc954af119c82281eebf4e4357839a4d53a876a419b1a6f97

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
741b0a78997b5faaba2b8bfe4ee3d0f4

SHA1
383781518a99a5cca24378d628e325ec16663db1

SHA256
2834652af7ec05313b2b9ed52fdbfb33a90e5f0ca12505f8c932e6c7e9ba4354

SHA512
2d940fcf08af7028212cba94967bdd00c286b730b516332af6fc5f6000f2732afa21cc7922973daa2c5d7ab67c2838e4f07c418cf2af9e4aa209d52f1fd006f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
f1de574d7e9e838dc714ec86ef445b94

SHA1
9275ed5fa7f9330fa8f45ec60bbbd4d49817b615

SHA256
3122fbe7d402a028e33f961baf618bd2680ceb0d1aea752e38ce0676ff7eecab

SHA512
c8db2fe71d2eb444e6e0b3d89a5c205035a89577242490c7ea336b4b10faa8a82e3cb74f8eb7db43dc856b8a5d393875fc680de9e3642c0e03ed36c4d1e9b776

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
2.6MB

MD5
984f4b078b9fd9335eed445ce7a0b22e

SHA1
929f5de7f2096ccae398c857e781513793f2d594

SHA256
35a746b1be772e8b060df66f78da19136e8950fb6c9877068a306eca3797ffe7

SHA512
5f80d9d76c785272bb9c44bb349f81220c6df2bb852295edd0650c44033453805bb4f57af920f271ddcb9d4d21f3dc22f8d233b344a4d04725663b77936a175b

Download Submit