Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:13
Static task
static1
Behavioral task
behavioral1
Sample
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
Resource
win10v2004-20241007-en
General
-
Target
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
-
Size
2.6MB
-
MD5
7dfd8ebf5512591fc9a1f79239380f6f
-
SHA1
ebe3dcdabe9e7f5f07f1f44573406172453c064f
-
SHA256
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10
-
SHA512
d566cd4cdd428a1d554da42cd6ca17ba53539e682c220ca447c714494f5f32e4cc538f0f526df06129b73652c882d0fcd14dc166c46efba94daa84cd069288cb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSS:sxX7QnxrloE5dpUp6bF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe -
Executes dropped EXE 2 IoCs
pid Process 1844 sysdevbod.exe 3200 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTL\\devoptiloc.exe" 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHV\\dobdevec.exe" 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe 1844 sysdevbod.exe 1844 sysdevbod.exe 3200 devoptiloc.exe 3200 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3560 wrote to memory of 1844 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 89 PID 3560 wrote to memory of 1844 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 89 PID 3560 wrote to memory of 1844 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 89 PID 3560 wrote to memory of 3200 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 91 PID 3560 wrote to memory of 3200 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 91 PID 3560 wrote to memory of 3200 3560 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe"C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1844
-
-
C:\SysDrvTL\devoptiloc.exeC:\SysDrvTL\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5974108f8eae5989e5de66fe5d292f1f2
SHA1a35467a47148f7ab18d194773d312d8326edac5d
SHA2561f00ca27270fb0d29918f7ec4e0fc1bf645853fcdf26580ee6c014769f0bb9ac
SHA51241ccb85da84ecc7d25bee647496d659d5d7ae15e339c92f544c23f0b626380fa0a85eb7883f692f54581035f6431a43384294ecc4ac5d13d8000d60f44ee3401
-
Filesize
20KB
MD52873fb57ea06e0913c9b5dde7bd73c2d
SHA1c2794b886d0f3c44e805ffe343756fd81b5c87ec
SHA25608bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587
SHA5129db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76
-
Filesize
2.6MB
MD533d6f51202cac1c64796fbcd39009f56
SHA1350039420fa2be3e0b02ac505728937b12bc0794
SHA2564e5096537808c2348893a196315059b17fb90bea236053413dff8e762644e9ac
SHA512f8bb1ce6e8656e49dec079cd68fec01e50fc8b0a46e85c76dec9eb8ee22f6ca51f1583ffa36595d7543ae27ca1c95222a982cc345dbeeee3483f96d956372ac7
-
Filesize
208B
MD520be682eaf1079762e5994180acbd9e5
SHA1b3e4059b5f59bf7f1869dafcfdf6063c53cc69a5
SHA256b18b882a5a9993494ef9b76c32df4c4fc8dda307b71710fd76f7f15b29580515
SHA5120d239649283ec7719dfb70626ad0751ce2a3588c3a6469a6a5b7f238e90bbb22b15dfb18cc83b385e2675a71d8058a649055c353c63650a0fc221abe5725eb10
-
Filesize
176B
MD57f30ac06e8bec73fd277f605c2d19c9b
SHA170249f190dc1ff24a3d0ea1823756ff8d21b4fb7
SHA2567ac2ffb93ba4aa27a0b2ba702d383d9945882b144fe7c6b4279ca66772aa5f5a
SHA51211d071ef911da18fe630321cb59d5b4809709afefddb96432eb613832ade61afcde1db258156ef6e73dbe3a8d4408d09967a5f11e5d19d3635ed9fb60e3f58d1
-
Filesize
2.6MB
MD5cca61f6ac85d28f74d37350c14f130eb
SHA148098d438b017a6e0f0bf5527d9a3f6127ae1421
SHA2561d9ae25b0de8de331ac7dce1ff3233e453ca3de309f5cef2197f13001e1bee45
SHA512e9c56c5b6298e91e85b21f18562ebb2acc6d5f6727f76342b12342a13e9801e1fb57409bcb5143060bb769f04dd6f21f32b2df46183a1c8d1d9c1cdfa4ef5b17