Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
Resource
win10v2004-20241007-en
General
-
Target
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
-
Size
2.6MB
-
MD5
accf34785eae1f5727b18983b01c38b0
-
SHA1
462a1bb16c7eb99319f254eb1df1e852b2ebfeb5
-
SHA256
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7
-
SHA512
072ea1f8d38c649328231e4310b1bcaf70734ae58033121d9acc751a774777926acc22e50cdae20eb48463f347669cd96649f691fedb001cbfef6bec971b7da8
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpUb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe -
Executes dropped EXE 2 IoCs
pid Process 4720 sysdevopti.exe 4472 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPU\\devbodec.exe" be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOV\\boddevloc.exe" be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe 4720 sysdevopti.exe 4720 sysdevopti.exe 4472 devbodec.exe 4472 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1468 wrote to memory of 4720 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 89 PID 1468 wrote to memory of 4720 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 89 PID 1468 wrote to memory of 4720 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 89 PID 1468 wrote to memory of 4472 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 90 PID 1468 wrote to memory of 4472 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 90 PID 1468 wrote to memory of 4472 1468 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe"C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4720
-
-
C:\FilesPU\devbodec.exeC:\FilesPU\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53d94f62268a4fb4599c209fd92db0edf
SHA127daf0fee8c2894c0fe18183daadee1d0d67a69c
SHA256a28823d61fe1dd956c6951cbc7f48efc8fa4e451faeaed63fd5e84406ba64037
SHA5124f4da5402dae433df2cf52c97dc70c50a22e46ab1fb61e5dd68e83e84e6c3c68b5a3ad344a0ee01a2b8429d1a0ee2fc962a2ca5a34a1119c9ae84c68b8d60220
-
Filesize
2.1MB
MD59bd2406ab96ed5ca3def3ebd19752e5c
SHA10ccb6881bbb2fac66001daea80145e386f5d947e
SHA25680fa5d7ae449772f335e8f7446e4508069c8fda62e1aff8c81843d7583d865a6
SHA5123ef9f370cc9cfe46a8680d9424060e335da09f65b49735155d5747f10eb16c59893fa997dc1efbf48ea32e39158c9a8c49dd928f38313588e9aebe82c40130d3
-
Filesize
2.6MB
MD52d014a35145ad0c0bf383d6c48535247
SHA1f1e2615b5740c1d1922996a0887fd8944f2fa787
SHA2560eeec169c7ae962f8506af90031c334e2fdfe3b328297c2c212248fdde489fde
SHA5126c8682b88f59db94b9e903411240b757dee77d5fb1ed3bf86572e3f843d9843bfff391fab9b0157ce4173cc8819b1e24298e031baa575c341869454a0822c2b4
-
Filesize
206B
MD564958e8abb7d6beff88a72c8a4df677c
SHA18c3a19104ef691c6f60eeda8db4d2b0f0b48ea66
SHA256360bad04d294ea74959a38a1fed45000aa5f90241a07141b8eaf997caf9481cc
SHA512b79fd405312ddd608d72c7fe5f5bc56be89b98ed435998997b6cf27ae787e211eed8eb0a6e41bb3f85953c6b65fa6cee51281e761ba6e34aa284e4d098fd3b29
-
Filesize
174B
MD5ce7f0d7b7ac0e820b7ec1d180f47001d
SHA1ffc894dfb5824781646ca5254605389888b71e38
SHA25618f687c47bc527c87d91d48b18151c5fa739577e0258a58c542a9c30612979e9
SHA512e985f193b1cbfcc58ec0fb7f2c364e6f621b0dc8a8585f256a8f775a9364a2df95da1d6055ca4fa04751b1209f62b064f69eae76f4097ef3ac523348e545f3d8
-
Filesize
2.6MB
MD57636941a2f54f527d72eb62bcaf2eed5
SHA15f5d306b20c299160b7a2e49c6932eb45b9c9761
SHA25648a1fc8542aa889623cf96125cc6508228f07dc3752e45af230d1a951a9e19f3
SHA512da87a63f21ccb8d1d3a75927380b07dfe8527ddb89641296d8766b002cb881e203abae8ea143fa0c42f00e2189cffc799687a915c920935febef9126a6b88da5