7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002a

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe
Size

2.6MB
MD5

6d560d427675bfebd055ce73d1265e70
SHA1

ff9fda916b45a29709f7ae40a2c31858813d26b8
SHA256

7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002a
SHA512

9582ec5bdd568a615bb3777c95d0349b1dc1bf1052f8a6d9e27ea9451c092a4e36728d6dbbbeba6264e9a2e5e39d272d42d5aef57d01e8dd41702fe16724394b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	sysdevbod.exe
2800	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe
1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvCZ\\devbodloc.exe"	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxE8\\optixloc.exe"	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe
1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe
3052	sysdevbod.exe
2800	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3052	1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe	30
PID 1640 wrote to memory of 3052	1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe	30
PID 1640 wrote to memory of 3052	1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe	30
PID 1640 wrote to memory of 3052	1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe	30
PID 1640 wrote to memory of 2800	1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe	31
PID 1640 wrote to memory of 2800	1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe	31
PID 1640 wrote to memory of 2800	1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe	31
PID 1640 wrote to memory of 2800	1640	7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe	31

C:\Users\Admin\AppData\Local\Temp\7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe
"C:\Users\Admin\AppData\Local\Temp\7451c0fae03597dda3fd794ad9d5f0dbae807849fedc2bed9bf70454267b002aN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\SysDrvCZ\devbodloc.exe
  C:\SysDrvCZ\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxE8\optixloc.exe

Filesize
2.6MB

MD5
58673dddace573685ed9934b43198e7e

SHA1
83d156c36e2224cf9b8b8fcaa5bd68ef001bb250

SHA256
f6628a7a3ba713a4103105cc38c5e4f1c59dc0910e5f52b2f3ea20058441c450

SHA512
26a37d02c71c48dbf5206cb623c9c0c224063bb3dbe6cc7a719a2e9dea267238f9eefc6594d054226b59e2ce3020cbae2797e1f5a863dda9a024f67073081fe8

Download Submit
C:\GalaxE8\optixloc.exe

Filesize
15KB

MD5
10e6df3619bbbd1a2464d5000a56fbb5

SHA1
9080f324c059847c04fbc434d62d8ab2e06140a9

SHA256
e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

SHA512
9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

Download Submit
C:\SysDrvCZ\devbodloc.exe

Filesize
2.6MB

MD5
6d694c9bff6c060c74d8aa4d8ca8a9e0

SHA1
bc2a56745093bf532680367aa90ea3e9827ed19f

SHA256
91ef612341b4d7c8ff4a39d6ca0aa9fb372704c3e8e9765dc1321cffe09abdad

SHA512
71f2a3bc3c4a89f2a185334a0db7ff03939cf2afa4a7fa2d275c5b7dda3c0c530e0725d92a1152375e2e0a34b3bbdbf8b8193361d27cc7c65ff1323524c1078e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
06f2c048bbbdc383bf23008f988d8d68

SHA1
f79ecaf12f8424166d9dbfcff8e510f76b58b390

SHA256
b6a9ceefc35dc6535f0854a7fdbe19a29ac5e78d2d8bd35d28614fa443d05f8d

SHA512
9d7bf029e4c96056e6338e0a16f82a1b4055d13ad5f9114fdd1a7a2da0851a0a6878268608bec0841c96f3e828c59b2914e9ff5ce8afe6a47322e39159b038fa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
a232e5ec233c6a7b3a4b2ffae3cdeb13

SHA1
6ea99d478c740f60ee3be16895d8b2f483d262ba

SHA256
4647ca7733f79f12e5ef2044db7eb66207e19243bd5b7a284edd3ceee70ce860

SHA512
f4de359855b7698c6dd0acaf50976ef36d801e6b0e1e73facc6e574ab9da135aa77787cf1000f26250bad463eebb6a8363d4fb98d45081ea28b2f4290e7091d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
83086b4a0f35c871d31fb46082a34f68

SHA1
2182768d406f853a29f66ab7ccb9a9c297dbeac8

SHA256
d07e9d7f38446e8446fa14b79a60bab4b46d09db74f4fc633b1a99d5fb1b4b50

SHA512
9504e6594e16e023e953514b357847ae44cdd25c4416c1b092ff6f2c4550be89e00a7245e846ee357286875bd231029046e348690c17de7acbd5feb8c8a75640

Download Submit