Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
Resource
win10v2004-20241007-en
General
-
Target
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
-
Size
2.6MB
-
MD5
f7cf191c3efdf86f2d1a224d2d47fd70
-
SHA1
4d6cc971511f21e001654d7600db6984c71a57ed
-
SHA256
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8
-
SHA512
730714123d20e8c4dcc046ae7b6f4d1fe5a08f6d044eed175c084f3dfe39ca141222c6f85d8f885db5d8494f0672bc491cd364abdf0ec31e3875ba31f96d0ae3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe -
Executes dropped EXE 2 IoCs
pid Process 2840 sysdevbod.exe 3208 aoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxB3\\boddevsys.exe" d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMC\\aoptiloc.exe" d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe 2840 sysdevbod.exe 2840 sysdevbod.exe 3208 aoptiloc.exe 3208 aoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4076 wrote to memory of 2840 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 87 PID 4076 wrote to memory of 2840 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 87 PID 4076 wrote to memory of 2840 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 87 PID 4076 wrote to memory of 3208 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 88 PID 4076 wrote to memory of 3208 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 88 PID 4076 wrote to memory of 3208 4076 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe"C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\SysDrvMC\aoptiloc.exeC:\SysDrvMC\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5492b4e27b8c2abac678e83ba4efc0633
SHA1f0ab8c39ce09760bb41dcd26e4b057f27de0efa4
SHA25662e0768f3c6da3402bdc83148f0c23a6ea5b20dca221136ef75cde0b03e5bed4
SHA5127dcdcedb57d105f204740f6e40a6fb7327f4d4ab7459dcd8b9a562e1c75a9198fd29ca77d7976795c5d686e5b8d44b1033cddcfb2b055f402ce4b90fd41103e8
-
Filesize
2.6MB
MD59c3fb6f1464c3b66f26978685a612e1d
SHA163373df0eebc9e09e4bf17d409ae5d55b34d064c
SHA2568f7efdca0eedb4934e17c0c75824d173ab3b8d5aaabe6bd98c448a70d36c94c7
SHA512a0c88aa14e366bcc840c47081539467c1172bb8218ad4338cc4e39d9cd5c548b6d26b55ec73d070d67aed1f7f99a1d5101be266f57c45b5bbe75ce5303586138
-
Filesize
2.6MB
MD52cd6540bc31ba951368ba52fe9ccbef9
SHA18e8f6f32a491abfe0f8899e563096e73a2e81013
SHA256e65e93e41401115f18f482b0b8277928d3dc1d53499a4cac50458a63a4c92fbf
SHA5127d94c96419f585d1f1646885456969e60f78375e096d2f083ad4051b30975363c8c98b1b574c9cff1bdaea300b335382641490e2ecd4b05ec642e2568bb762e5
-
Filesize
207B
MD555d1f78c556f44ea74d924f87dbd624a
SHA156fc3ff1ed19649564b7df3e97354243eb599764
SHA256d2e34de3ec093f1946e93856124975eddb2a7afb18618d27f9d1a3244fb23e8f
SHA512c2fe1972e810e208a07eb0708147ed8ef35bd5b158600d86e0783d079810f20cf758ab9551f30b05de0d010d649bbb569c03d5dead46ba305c6af0d208ea814b
-
Filesize
175B
MD59195629f9811689c115cdd0712af0af4
SHA1a6c14fad3da0c7f180312e1385ed2ee3b9ce0a98
SHA2560f212ee88bf9a0e23dcd8bc4aa99a447a366fc649b03702f045c5949297d6a41
SHA512c037283437b81c1967e602a8f706cf1ef90146e3f1fe879bad769fb61abccaf333f2af6a92a8df46cb650a8a5b8660304a00887d2c2cda08f6b93d2d20230b8f
-
Filesize
2.6MB
MD534247b38d90d6005694747655cd68ace
SHA133bde141ef498d654739ee1030ec2aa06210d0cf
SHA256666f7961ee64e64d5a9c4b18bdcee33dfa34d10a5f912851e7c8a4ebe952d239
SHA512aee75332b159a7b3fe341b80c214f584d6122b8cb389bd59eed03ad095d0f545151d50b2d611f09ac047d20e200c9aa5739062faf83dffed50ea015e729d5410