47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
Size

2.6MB
MD5

c75f8108b2477d5d8ca476ff3f030c00
SHA1

8531b0d56cc07a8e4e04367884cbfffe9b1b5102
SHA256

47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3
SHA512

fe2db60878e9fc298c0496378dccaebe1b013055a4c60a0dec40ce0d4e0c6bb7ff71b9951bb8d27cae117399c5f002f4739f80ba9ce78d20ed7e3d99090b060e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe

Executes dropped EXE 2 IoCs

pid	Process
4832	sysxopti.exe
3532	devbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRT\\devbodsys.exe"	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLX\\dobdevec.exe"	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe
4832	sysxopti.exe
4832	sysxopti.exe
3532	devbodsys.exe
3532	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 4832	2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	88
PID 2440 wrote to memory of 4832	2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	88
PID 2440 wrote to memory of 4832	2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	88
PID 2440 wrote to memory of 3532	2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	89
PID 2440 wrote to memory of 3532	2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	89
PID 2440 wrote to memory of 3532	2440	47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe	89

C:\Users\Admin\AppData\Local\Temp\47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe
"C:\Users\Admin\AppData\Local\Temp\47f5c8bee7db64f71336777caa33d9b931b6803def6a8c865525703f838615c3N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\AdobeRT\devbodsys.exe
  C:\AdobeRT\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeRT\devbodsys.exe

Filesize
2.0MB

MD5
c86e3282678bdfdb2fa3054c1ffcc236

SHA1
a7de140e840404f56e4ab1af3b4afbc50ee89915

SHA256
c7728462285c9c75904aa374196310049487c5d43e46cd5e68bfdce942ae6334

SHA512
249e40f39daffe075c464d671dc4fcb7aa4ba7206b1d80abfaa98e9698aee443638e5330eba8dfa8878d3d24cbc140ac97eef37490e26468c995f2a85e913cf5

Download Submit
C:\AdobeRT\devbodsys.exe

Filesize
2.6MB

MD5
3c68fd5965ea62f884c12899c45ff692

SHA1
6e544f4e54ac4f420fe45bff91bf1f2bbbc229f1

SHA256
09a3f563a41e02eeeee71d423d751688f072e3cb654d74bf983a49400f81845d

SHA512
42264f0f633161522fc4bd2286f1bbae3344fa067b9f7d689bbe606f87ca07c4fbf7a7ba6f68917ac4abac685c4b1ad696805cb691f50b17f70a2fa03fc17725

Download Submit
C:\MintLX\dobdevec.exe

Filesize
576KB

MD5
37dcbde06c8e524a35f7eddc530a5b89

SHA1
90f07c526650b1529d84610c75dc0fbf31a696a0

SHA256
41e5c746b9a0ed5b3df2da7c9cc58229dcee92396baf5d9ce3c7dc4abd36d1b2

SHA512
15e95dfe0b4405db5de493ff285885ef7fa2b23a9fde91c3eaa312919255f212f48052f899512df188efd35a2864db33ba17f2b0be43e5f5901c1203020e035f

Download Submit
C:\MintLX\dobdevec.exe

Filesize
20KB

MD5
586dc09d5804dc54d44fbabe2f70a2f5

SHA1
1b5a9a763950331479ac1c498b03264cda1e5e0e

SHA256
33712f6263ec98ae8ff353abc33c5a663b2c766cbe5c8a49229dad2fbfb8f079

SHA512
54a9d8562e63f9b26ca5680b6e9a17abb896ba1d76fd279957335198bab32efc42361d0585349bd615b1859a022b024d4629234b578a41c99310d0b00c64998a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
3d3c6cbf5b63fd2ac2c8e03253c7623b

SHA1
9ff461398d8d59eaa565ac500f1e2b0e91b455c9

SHA256
2199150a47792d7ac620ad329363d54215c85ccc2cf33c09b17e8ca13c96bd10

SHA512
af0ecbe08638f403784bdde835607cbeb2841086f2ea9f565411b9486876aae61a48e1467316219a2b7d9de97327fd3590f33ae274a326d5119773986fbeb9c6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
6cbdf512b3f0049e37ad40970c6af6b1

SHA1
20bf32e8de671466c630e0261d3cf08a537babfa

SHA256
3742d4b1551c74c2af54fa51be936f6513f78ae22c0038cac11a56889f4a814b

SHA512
91a1280b757faa583c03285ef271bf92c536d9d91efc198f8576de82eeec8a1bd553b23c78990c64188563ddf0fb5275fd81a5f1a7f485f62fa4aa1458c97833

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
2.6MB

MD5
6a59cb664e0ed76b1c213c8b83444ef2

SHA1
9071b80e24ad3ab75ef6ab49a9e866424d31d29a

SHA256
d5f200a3ec6b027bff44b1f5033023f9a48ab2835bd60bcc704869cd1b338b50

SHA512
bc6a1214de96b610df09c7f740942ba04c855e2d2cd54844d80f92750e021030028e73728d7521819ac99bcd8017c752e12f27b461e7437c728f1686efce98c5

Download Submit