0450ca6f051a64490094357efe8bfb14b81ed9b4ae2be9a15fca11ccee164873

Analysis

max time kernel
119s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfec63e5c4fee8cfdda5bba91d3ab590N.exe
Size

2.6MB
MD5

cfec63e5c4fee8cfdda5bba91d3ab590
SHA1

9b938770971c64d6a967313581ecb9f8cd8fffaa
SHA256

0450ca6f051a64490094357efe8bfb14b81ed9b4ae2be9a15fca11ccee164873
SHA512

5e08ccc74e079dc34acdb1284d960ba8564fab0c3910b9a1191188a5d69506ad86b42cf7236c0e76b9f9360172855d53e63108e89eff86488079ae68083cf91c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUpJb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	cfec63e5c4fee8cfdda5bba91d3ab590N.exe

Executes dropped EXE 2 IoCs

pid	Process
4956	sysaopti.exe
1436	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4V\\devbodsys.exe"	cfec63e5c4fee8cfdda5bba91d3ab590N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxY5\\bodaloc.exe"	cfec63e5c4fee8cfdda5bba91d3ab590N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfec63e5c4fee8cfdda5bba91d3ab590N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe
4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe
4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe
4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe
4956	sysaopti.exe
4956	sysaopti.exe
1436	devbodsys.exe
1436	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4956	4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe	93
PID 4764 wrote to memory of 4956	4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe	93
PID 4764 wrote to memory of 4956	4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe	93
PID 4764 wrote to memory of 1436	4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe	96
PID 4764 wrote to memory of 1436	4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe	96
PID 4764 wrote to memory of 1436	4764	cfec63e5c4fee8cfdda5bba91d3ab590N.exe	96

C:\Users\Admin\AppData\Local\Temp\cfec63e5c4fee8cfdda5bba91d3ab590N.exe
"C:\Users\Admin\AppData\Local\Temp\cfec63e5c4fee8cfdda5bba91d3ab590N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Files4V\devbodsys.exe
  C:\Files4V\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=1312 /prefetch:8
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4V\devbodsys.exe

Filesize
2.6MB

MD5
9fb7d046266a4ddb19a9db597a03eaa5

SHA1
189d6c33e4a806d2cc0ac0b4f2f03f28b911deef

SHA256
1765986118ae48a487f3fbdd4891e247374269c0507cb6d2eece66d065cf5cc5

SHA512
a58da18fec37e9a77d6c4b4f57c6dd9c84681fc90406bd38953c46c4cba7aad05bfb9df855f621cbbb77756472fd2580b567bb9f6db373ad6339b5e6adf16740

Download Submit
C:\GalaxY5\bodaloc.exe

Filesize
2.6MB

MD5
0c8d9b46277125baae9ce7336d9473df

SHA1
46e6b8ded80d4096a4ba027574941047df57e61d

SHA256
a4a2fa5d10d5f10709ab2466384dcb4fe984d180798a1f3976f3810600e44f0a

SHA512
1f3df09d2aa483ad5a78f8862b831ca67f13a0a5a44d064134c22b2607b8a033d5e59a821bad59ca7871ee305ae99269e2ef80a41bdd602cfb11b3773e5c50c3

Download Submit
C:\GalaxY5\bodaloc.exe

Filesize
311KB

MD5
c61e8689c77506988206905e871d0972

SHA1
420e2652b45ba42da1ae48ce7c25b2f03d4d06dd

SHA256
6ab93308bea2d549fc28fcffc366833bebe6faa038f188f8a9cdeb4ae5c966a1

SHA512
8389f2149d3f1612705aa52972e21ef822c4bf4bb76885c47a2778c17cbb47be23376be3adc3c240a50911d60d15528c7b8a82aaed4f1340fca5d13fd0d5d32a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
c30cea014e318a4d00631bd57caf8706

SHA1
3db08ee377c28d486cca384b8c15e48584782110

SHA256
656bc0a3a58d48c06ba2f07bb02a10d965b5121fd3cfe2fc7437b540b0b47008

SHA512
7ef47dc40c9629aead02ad2492490e707f47102461fd761270f563a768240bb41a40fff05f508e9d34903567c976616ceb71fbf11ea3d670718dfc2e65a6b01e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
4911c4b86f4c759af0aacb5152365972

SHA1
03b86ec496841f21b352cf04222665dd666245fe

SHA256
111830e9ee41bc3b03ec2bd375661b80ed36e7ad8c7256a3fa9035f2b258b283

SHA512
1961e247d4bf007fecdf323984907366e3b7010d48d70d654074824f9b4eb3c5388b9ec52ceea24a569d5661b8b3a9e0e21e4b7ad352b3d73169cc50fed74245

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
c69655978b165dd38739be49867a0006

SHA1
260e03adcd7be04adef4a436ab4c0236d449965a

SHA256
0dfc57b7ca5c9fc4bb459dc1f0fa9087568bb268eae3a36e85fd1789a708e0e8

SHA512
42964bf8a6779da160e12dd8595e607b79b9d62bc1758b780df51ddd1889e82f21c20086ac149d1a7312ab9d5b7d627bf993d05ee4663834bcf3cadaaf289234

Download Submit