961ddcc5445f67891ca33823d9509795106c3dbfaf8192f7ce9303410d9ede27

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6686cd73ec8da0d94e7d2634cfe4630N.exe
Size

2.6MB
MD5

f6686cd73ec8da0d94e7d2634cfe4630
SHA1

d00fc813a77b29826b888b0797ad03949dba5623
SHA256

961ddcc5445f67891ca33823d9509795106c3dbfaf8192f7ce9303410d9ede27
SHA512

5a4f871975f39bee16249c3331663486adbe22342f94ff34855a63f357d1d784ab08f8fa22aae6aac3198421854835907772862ed51b90c206dadb7055ec2e67
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpJb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	f6686cd73ec8da0d94e7d2634cfe4630N.exe

Executes dropped EXE 2 IoCs

pid	Process
4772	sysdevbod.exe
1360	xoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJT\\xoptisys.exe"	f6686cd73ec8da0d94e7d2634cfe4630N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKD\\boddevec.exe"	f6686cd73ec8da0d94e7d2634cfe4630N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6686cd73ec8da0d94e7d2634cfe4630N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe
4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe
4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe
4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe
4772	sysdevbod.exe
4772	sysdevbod.exe
1360	xoptisys.exe
1360	xoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4772	4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe	91
PID 4768 wrote to memory of 4772	4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe	91
PID 4768 wrote to memory of 4772	4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe	91
PID 4768 wrote to memory of 1360	4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe	94
PID 4768 wrote to memory of 1360	4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe	94
PID 4768 wrote to memory of 1360	4768	f6686cd73ec8da0d94e7d2634cfe4630N.exe	94

C:\Users\Admin\AppData\Local\Temp\f6686cd73ec8da0d94e7d2634cfe4630N.exe
"C:\Users\Admin\AppData\Local\Temp\f6686cd73ec8da0d94e7d2634cfe4630N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\SysDrvJT\xoptisys.exe
  C:\SysDrvJT\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBKD\boddevec.exe

Filesize
1.4MB

MD5
e3a88220902977468e8d40276b127b54

SHA1
9a3a6393dd5da5e64a446687df90a6d6dc864095

SHA256
195fdac304d421f2c53fb438e15e81e60e4cf983ff5faa5334cbdc8d2daeb180

SHA512
47629b3ee430ace0c52dbab8128e3d2808f243b3a5d439c6e67b01f77fc39d730a912247ea134b6374a022162728a3dbd141a3b6cb054570fdf363b10ac36052

Download Submit
C:\KaVBKD\boddevec.exe

Filesize
214KB

MD5
0849f0ec7f8aaba4823d1158ea923798

SHA1
b94086ab8cd7a9eb6b5d66c2590212f4c8884a94

SHA256
5cef0af85a1eb7ac9f7632b65ae292c8db704e110ea80fc9f605d29c84b15af8

SHA512
ce3635ca3e2cdea715075e47df15c8ade52a034d46cdcf013fbcdc24f932efa49b5bf2b47e3f6fdaa180f7ed44d30e93d7d3ca54404ef18c7d2eeb994db52f34

Download Submit
C:\SysDrvJT\xoptisys.exe

Filesize
2.6MB

MD5
2379f9d85682bc60a316f31cf37898d4

SHA1
a19bd3754156a41feae2a541f228734d364dcf00

SHA256
5d8ec955b27b16ad61284422151435160b1dbd60cb9198e4ce8ce928d2947601

SHA512
1a021e754c589cc1b484096bc5becaa4ffd7b66682b944181b8a38767a8c7b6e374d628e114e47640a71427e227e3da7d9c56231eaad122a29b63dcd98faad87

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
a54de453f0ce845d06deb51d37142a76

SHA1
accd4e4898d3f090f3f6e61c1a702b32cd00f257

SHA256
4a82cfbc9eac0769661c93056169d0b7e1a8320842e84db4614d624835fec096

SHA512
cf1b2a6a8ae99c09f4b3282731e28eae52748aac84e367dd5d6de6727bef6abc3e8125609346f0050b5c21dd94fffd87ea59d1295fa509a1ea15041a4b130d1e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
1988455f67e67ea78952c2941c946c38

SHA1
cff78bc4274340c0412277eac8d7a1b6feaa7177

SHA256
71272d753bdc46dfde2e319e003c2af969b57fea396fffd2cacb81110c355376

SHA512
1b7ad2a98720d901fdc4b41ee99704896fc99185e624cea1e9e6e528f3489856d7a7f51cc50d4c4a3b42275e5e4d2fbe9a211d76d7a080360d32da88627c4fbe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
ca71ff118f103e5c7586f243a07956d4

SHA1
f08bddf95b0b898f2398ec42ea1b6e66bea56aea

SHA256
50c10fa018ff5d640bbc057b3bbaecfbc766b256e15b098403e4746d57edb15d

SHA512
809af06f0c3159e1b10ebe42741d17a3ba2d997130da5cb8f57a90ad509a4b1a3189f9c6f40ce3b3a18d845c118c7e104f0db06aec6435ce35fc573b94c0a920

Download Submit