5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Size

2.6MB
MD5

cb8ad88571316a7c5db8c8bced8165cb
SHA1

cbb62a447ee5ab176cd4799cee7b8903baece1ce
SHA256

5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42
SHA512

01ed3e177689a611691db1cc9d6c3a57bc5fc108865f1e99720a37c99f6418901d497bb239fb5aa1cd971e8abf4b8d203d65756a114e7689fbbcf434fe90a7e5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp7b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe

Executes dropped EXE 2 IoCs

pid	Process
1004	sysdevbod.exe
1532	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRS\\devbodsys.exe"	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8T\\optixloc.exe"	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe
1004	sysdevbod.exe
1004	sysdevbod.exe
1532	devbodsys.exe
1532	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1004	2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	94
PID 2848 wrote to memory of 1004	2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	94
PID 2848 wrote to memory of 1004	2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	94
PID 2848 wrote to memory of 1532	2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	95
PID 2848 wrote to memory of 1532	2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	95
PID 2848 wrote to memory of 1532	2848	5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe	95

C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe
"C:\Users\Admin\AppData\Local\Temp\5d52154b0c1bbd07ee65c7dd6b155242d3e3f73f375d55e8d27f43e1ca921d42.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1004
- C:\SysDrvRS\devbodsys.exe
  C:\SysDrvRS\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvRS\devbodsys.exe

Filesize
2.6MB

MD5
9059a2a2250d3944d4e7fcec54b2600a

SHA1
e13298c1ad23b8e4994e5cac29857e066aba0e02

SHA256
218e133821d66c2b425b938a3421ebde11a2e29b95951ef00f5ae09d19725d0c

SHA512
4f3f42db141bdd98b49e7677bdd7f9828adee147ce8d22ff473f17f39a37602fa91f9de60a19217b955d8eaf594c62fca49218fedc3775ebf77becc93840ec94

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
0c5922993aa9a33066f983bb8505d048

SHA1
5b3ef775a3153774a835197374f01c3e66788466

SHA256
ff3eab90af51d5228e0d7278414d3828140a18ac3a9be0a478affb5f7c7ec016

SHA512
de6f27dabe775c705f3409207e945ffa3a15ac795f713a53dd6052b73d440117b938c5e7b78364ec3ee50fa2bb44b6af5bb3c26d5ae4971b7d4301f44abd314d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
b4d4c7c9f08655b62e74e7fb3f256cfd

SHA1
7ba7e1881900b636b1ccee36ecb43ef7ec7b21b4

SHA256
aa2f3e010ede160e8fefe26aabb87abaff44cd18eeb7a893faec3f19dfba26b5

SHA512
e3cf2bf1c0737c5b3d8ae949fc68507420815315feaefb855d12312b798409982d2c90db5a90789b4c03cac2e385ea74cf2897be49e1322fca433e6f510dcaf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
c8894fc7f5b1338aa64d9eb0ab41626b

SHA1
57f172015e66048bc3e03cfe53455e93cc3be04e

SHA256
166c97bddb8630809321e582528d02108a669d2c35309400ba75bf25a6bfc574

SHA512
6867459897ff387f82d6a455dfd5fe07628c5e6fe1c580be13bf91175be95d1718d3adca209d48675467144120db98a4c6c1e4a1fbd5752c5ab2fb8dff3397d7

Download Submit
C:\Vid8T\optixloc.exe

Filesize
1.5MB

MD5
2556349aef9980fe25f824b62b9c2d9f

SHA1
594011c2f3d3b7192cc5e0960fbd9c564a9c2683

SHA256
a961d667662114d851a4cdf6e16a5b51e9c5f4ca477b2c759ce47af1ffdb1ae9

SHA512
3e32a099f11033da72ca033c63a0b43855fbeb00822cb11732b7b6652e81d60e851c4471cd024970c11e6fb148b824156cb59bedefe76b4652a72b4a61965785

Download Submit
C:\Vid8T\optixloc.exe

Filesize
1.8MB

MD5
0fe4a7171b1b0e8b0a5cf7d713a146ec

SHA1
05810e3892f5082a08328354c1382db68a66ed19

SHA256
351adab79adcb22799734719c874fc29b57c240dba7d6e4b80703558e16a5f87

SHA512
26c517fbbf2810d7a31dd9760609988e65ba7957ba7a8277c0f164e5bde58c2a2ca85821b9c9b25a0d5c659ee10377df1fbd60fb2fc9a513b40ee1247d9faf59

Download Submit