Analysis

  • max time kernel
    120s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:36

General

  • Target

    bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe

  • Size

    2.6MB

  • MD5

    a6d513ce453adbb9d7e7eca7db2e6890

  • SHA1

    e9b8a491095e05b9325c60b26ab25efa78a8ccbb

  • SHA256

    bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24b

  • SHA512

    8245d660844ca779b56a557807fc64d5425ab5f33760fe77391e2b199df05c0f5cf27330d451366e480f9012002896297ae129a0ca6f6e1689af780a4acafdeb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUphbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe
    "C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3688
    • C:\UserDotPS\devoptiloc.exe
      C:\UserDotPS\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintP2\bodasys.exe

    Filesize

    2.6MB

    MD5

    cf87ba070fe9241fcff91c59eb1b6104

    SHA1

    e50c8f2091e58ec87624f0e45a96cc0e9e7db171

    SHA256

    56d1ea5aade92326b2f6ec1ea19cc140a41a04a3b3f59b16afcf36dd9a6e4e10

    SHA512

    2917355956a8e580e40d5ace419081137284ab493b1543fb39038759dee169134506c3b8110299cd3ffd12c55cd2f150fbd83ffd50cae8f190f0a852a2a98bea

  • C:\MintP2\bodasys.exe

    Filesize

    2.6MB

    MD5

    002c0f40e26459c01b3fa7f052dbb592

    SHA1

    de865562341eb341e64dd6b0045935d8d0a12ee6

    SHA256

    e9d3d29cd4d4b9a9ccc588ea8a333e524c4848136e094d860bbfe3f62df89806

    SHA512

    118c12bfda9cabfe8ea7fbe64cf9d416b6daee934f392435069b8fff089e06ce9d3ab28a57f514d44a3f49971eac4ffa6e34fa66f7a0c14712d01db0029524fa

  • C:\UserDotPS\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    069046c11f2b033a1ab2d6fd50e618bb

    SHA1

    487582a189171418e624a8253bf80307b9a42d97

    SHA256

    5c2a81a0ef125cd3e69c59d53c8a58737f5c81b1ae9837298694782f8d3bbbcc

    SHA512

    dcf46c1486adb80d2b0bed18efd31bbdb268badcc7207f0703eee4997b0e7985f8b3a045aa54e5d8d6b45f604fa623d1582969cee7a45f7a495c2470bad66af7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    208B

    MD5

    d1fdf51bf187fb51b55db8cd497ac8a4

    SHA1

    eb9eeddb99c9ad2de1dcc5b705aa96f2f8a7d45f

    SHA256

    279aee81ec7519903a0b2ee0edb527cabd24cee251a6a0b4f3de3d4b242e543d

    SHA512

    7ca0f1a0af7867299ada6a03fd4eaddcca8e358ede3d4b881d72164624d79f4e7b0f399ba21e0ae90e67bdd9e21baefdf4ef6cd51d5982476998c42e99dc9b90

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    176B

    MD5

    815c96e3d648e5a3be55deab2d1e9be3

    SHA1

    3b13b5fc2dad91fc07b378089ef086fe46fbc40f

    SHA256

    3ec0b9ad201929c2b548da68faf06212300dc0e8f12c98b83e8301f5faa650b1

    SHA512

    12e67372c762b76f94112b4c951bdb8fd9758413e9172ebe8c1a8a0096ebca8b1b04e03dbfbde185d2281bcb301d870d3b47fd0431a7860182b21a02bc31e085

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    1e9672fb1c2bca7ec7872c4d9cd45def

    SHA1

    f478c2456a49285369daae9a34c8fa9407b686ee

    SHA256

    f50c7096190d771ae7396ca0d655aaf5080a7df5267702c674ac4193939c22d8

    SHA512

    3cf2494f29fbbd74a394b9f8f1c5a73cdeb7b82ea74056aca94960f284e49d1b5d5e6278c3a330b558578b7685ef1f03d064f7ca9613a2ae34151d26bab8c331