Analysis
-
max time kernel
119s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
Resource
win10v2004-20241007-en
General
-
Target
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
-
Size
2.6MB
-
MD5
c44913bc98605c7005cabb1c49c2afef
-
SHA1
1845a2bf8f8c0ecb27ede9b86da76f722aff0c0a
-
SHA256
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb
-
SHA512
d7b4fc2de4384c421a77a08ed0993ec0a92bf0f95e3cba8173a19a6dc532d88a014da88a0d9272df71edb4b18d7736e967b23e88b196520157854509107133e7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSS:sxX7QnxrloE5dpUpEbF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe -
Executes dropped EXE 2 IoCs
pid Process 512 sysaopti.exe 2136 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocV4\\devbodec.exe" 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8G\\bodaec.exe" 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe 512 sysaopti.exe 512 sysaopti.exe 2136 devbodec.exe 2136 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 924 wrote to memory of 512 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 86 PID 924 wrote to memory of 512 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 86 PID 924 wrote to memory of 512 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 86 PID 924 wrote to memory of 2136 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 89 PID 924 wrote to memory of 2136 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 89 PID 924 wrote to memory of 2136 924 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe"C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:512
-
-
C:\IntelprocV4\devbodec.exeC:\IntelprocV4\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a8c0d9b0afaced6b6a99c551eae606df
SHA1c6abb7d2bb5e2ba5d79189a31ccd23a95554fcf0
SHA256ddaba5ed3ceaa8f67d880df09a24a7f20bc3e2f0c4ee671e2095047db66e8658
SHA512d5182b924384821ccac870df1af096e33daa8fbb2f2f27f80df79feb0ca296db49ffda922b372c5f3f0507d93dd51e751215aa9be586bbfb6260eb6bdb3c166b
-
Filesize
2.6MB
MD5785f2dbb9ac193e1c4c4b63386620e19
SHA1d23a39a57d941246c8bd7f908ba968803a6dcbd3
SHA25665bb97a6d65db66e967eb2987dc8e4e987ab4e44b9c97ec8bccfec7b6a14594c
SHA512f8a0f00ad20f7ef995d279b9bda18e228d755080f0c34a61dd3537a3030ae93bcdf0afd314bf9a51c8f54c215bd4973059eb53b6331c21c0ad4c4406e1d8f487
-
Filesize
1.2MB
MD583a75670dc0fd400e5bbc6596c96a9b4
SHA1731ec1c78065dd6faaee7b72e12f28876358b2f8
SHA2562ea6c243ea06882e1769d079aaf52a2bb448e5906b0251a5d14b458a156b3cc8
SHA51230a4915d565e03f804f75519bad17188bc4040c95ba81f3c31f56758f5eac43bbb49e0afc53429515fd839b48c8a5503a0aa7440a559f82b64c4b61bfde2387e
-
Filesize
205B
MD51cc6cce685476a635c25db87adeb39da
SHA109c4b6edd9bb73ff78c9c9ac4e7c8080da67f391
SHA25640ae28ba98c6cfeee0147ac96359bb77042955e28a8076b517518fad379ef394
SHA51288a61b6cd5e83369969a59e0d3c3991ef7b7b71e86f85ab8556f86cbe17da645806aaead054401b3497ad7cf772c2536d09d433fd622ac4df8f5eb34fc1ff576
-
Filesize
173B
MD5ad2ede0ebd937429894e0be5e400a5b6
SHA14de246059890aac867acad1a5eac2735f700132e
SHA2565f4e90886b4d6b2280664a439237a3ae7243992ebc28ef04e86c5a7a051190bc
SHA512db6ad3649a0c57e0fe8e19ce97f781dbdc2b9e35c81ea1d2d74884d292604d927d4a3ff71425fac33bb3608a39b5a4749904922b7dfc99194825345f4beb9540
-
Filesize
2.6MB
MD5125371f96e293ef35095b7bef90c5b2d
SHA1b68e748bec205987866cdc89ab7a3da76e20472e
SHA256ac813cceba324868ca6bdcfc024fb9879f2711a4ad5943e37a5aea1a154c9e11
SHA512e7f5592f66e4555d02614eb72d2c13a30d1cbb06987ac29025bc6593f5ceb7d43f34f46c7601d4adf2434e31f89b8631e69ec7c0006dd0dc318809c2d618029f