79651e8616f701122275edd7444d7f62478bc2a786d204ec2c59e9f01a5d417b

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Size

2.6MB
MD5

b793dc2ed636fdaee1a701e05fde1640
SHA1

23741caf22809c1bfb9b9d803a070f45b95dfa26
SHA256

4e243bfc150e3df8b0b6c3f274c51e21a61c58b261c4ee963ff3cc1b000b55c9
SHA512

d4f0e7a3aea5cb7216cb7fa0a290845fcf92413c83edd3de3302ffda45a52ee3a28c7faa6da9391be03f7818441b68b96c1c95548e28dc1419eb79f469b92e94
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpJb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe

Executes dropped EXE 2 IoCs

pid	Process
528	locxdob.exe
4652	devoptisys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeJQ\\devoptisys.exe"	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxLS\\bodaec.exe"	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe
528	locxdob.exe
528	locxdob.exe
4652	devoptisys.exe
4652	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 528	1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	85
PID 1016 wrote to memory of 528	1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	85
PID 1016 wrote to memory of 528	1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	85
PID 1016 wrote to memory of 4652	1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	88
PID 1016 wrote to memory of 4652	1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	88
PID 1016 wrote to memory of 4652	1016	virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe	88

C:\Users\Admin\AppData\Local\Temp\virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:528
- C:\AdobeJQ\devoptisys.exe
  C:\AdobeJQ\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeJQ\devoptisys.exe

Filesize
2.6MB

MD5
ce509cbd40d984e5775dfdd130e695e2

SHA1
3dae2494e9a436da6e29387050841263a88b8443

SHA256
25d0392d640e61431d43e9056e8138acb9a1e6c510a46ef5c1591d8c606485f0

SHA512
42b854c9a2709fb172ef8b6774b41b979c7c1770bd80e033ab0ea0448f24f25c6860765f681e8ad907a25dd8780350750cc7be4677df57d86432fa327701ab2f

Download Submit
C:\GalaxLS\bodaec.exe

Filesize
2.3MB

MD5
3180a5437b9c1e62c760afc944691a57

SHA1
6d6671803bc35dcb3704689278308f4a4ee23df2

SHA256
f9b6dae1ac4e51f18f2e4811ba029bfe76bd9f8f612669a8ccea3d9f38e869f2

SHA512
ad26f91c248cd6b4278c2beb72dd71c029e96c904dfc0409be1a2ee192760584915206a42896da84acf8b2b346deace16323d0eb383b24b37f10870750ef37c1

Download Submit
C:\GalaxLS\bodaec.exe

Filesize
2.6MB

MD5
d47c49a0dcbee832378abc6acbd6bf1c

SHA1
96c5cf362ce09c6299cac6a52aa14083bd1125f4

SHA256
18190dce2417387bba119a148b8f39ad0519e5b889e343c2833d74a6460f07ef

SHA512
d064e7a6e335507c402df6ecad9f65f716af822712c597c8788d77272744d6118aefad4ba1bd0618d12156b1d6bb654a15bdc2018c5c654e33d2781ec91dbe0b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
d7ca3807138b91a49bea616e22010de8

SHA1
014d34acdd27d5507bfdd5cc5f3ad1ae528b4087

SHA256
bd6ce190e473a5ee3dc5ca3163324f9e5470f9463a9182419d49d23d64936161

SHA512
1cbb16993f6fc7baf3409cda24796889e409acb1d82a6a04643b387b259f62a74906323b26096964059d0e2d0cf5f398c613591899110b908422463be257ec8a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
fa9181c94ebefb4a53bfc565fcf7e70c

SHA1
0805967de9cd165e93a59868986e7ec8ea4576a7

SHA256
b50487aad5b487d34d03dd9fb8ca76060aa189815473a614ca827b179e6e91f4

SHA512
d2ce1f3fce649986ee40834aaa17e53e640b280564ff2bcb7e040ceb0153669c03e8331aead534745f3bfc5f4fb1ac3af7fb63f8e86976d34264c8887dd57e22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
aceef9ec609e78a7cab3227cd966f21b

SHA1
1c7ccfc45095acf6f14553cca92787f7cdaf3517

SHA256
efc7d1e4bc1dfe380341891b4603ab9840b54edcf53e26d6b99591efbf1e74e7

SHA512
76d2eb8029fab0f8ab5e360504b647b57c5c44e3f9cbd166a956eca501523145f26435555965f6ddf9f95d5f839a7d35d0f751d710af5ca787007144689a2f13

Download Submit