2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe
Size

2.6MB
MD5

1cf67ddbe607d3a6fc6103d158486730
SHA1

630968a03725682ac15ff58d0319d382f9e781cc
SHA256

2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2
SHA512

bc03e3a24a6b0a90001047d6418edb42c4b7194f8bafe6b10522219d6c680ed7caa04501af0be44c9af067170cec6ed1d7c6203a66e2a6dc3a119685ccaba390
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpeb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe

Executes dropped EXE 2 IoCs

pid	Process
5004	sysdevopti.exe
1252	devdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ0C\\bodxec.exe"	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ8\\devdobsys.exe"	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe
4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe
4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe
4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe
5004	sysdevopti.exe
5004	sysdevopti.exe
1252	devdobsys.exe
1252	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 5004	4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe	89
PID 4112 wrote to memory of 5004	4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe	89
PID 4112 wrote to memory of 5004	4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe	89
PID 4112 wrote to memory of 1252	4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe	92
PID 4112 wrote to memory of 1252	4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe	92
PID 4112 wrote to memory of 1252	4112	2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe	92

C:\Users\Admin\AppData\Local\Temp\2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe
"C:\Users\Admin\AppData\Local\Temp\2c4422ab9edc28e0ce041eeebbf4da97aa9584f9ca16cf43b6eba5df6cdd0ff2N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\FilesZ8\devdobsys.exe
  C:\FilesZ8\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesZ8\devdobsys.exe

Filesize
2.6MB

MD5
d5a3ecd47482c4b8a55fa8f34e4b61b6

SHA1
d926e40f8971867a6506837df14f0af15e1858a7

SHA256
32c1209be8b643c73ffc726b6e7747fbe121f5854e06bbc4f33a6e8768326152

SHA512
a050c6b53e3635784e86f804c75b56106a3ab8f6ef97f9111a4a67d4ab6a616a19c18dee5ae8033572b4008d460099c4cdc64734e6e339d9224637e6d4809174

Download Submit
C:\LabZ0C\bodxec.exe

Filesize
1.8MB

MD5
7b3c5378a77738c0bd5c1a173bf35c17

SHA1
4bfcfb2e2589071517272c168e09671c7b53d624

SHA256
bc47407bece68397665667c942c3135ff90938f28ca6a872818ab8208a458f72

SHA512
ad04b17ef8631a3d51f20aa03a16e0b09316c958870d9921d0c466a91f435cb5878248e2bc6a3071973557e31c78f63662ce940c9b53a748da2ac9a8b64272b8

Download Submit
C:\LabZ0C\bodxec.exe

Filesize
379KB

MD5
1101255e3a972f6f4d63c7fb5d1db6cb

SHA1
0212dc0bcf8aedc44e6280b44f95ddcb83f4ae33

SHA256
00907a1641510baee7643c95a0787de8e7c782d79510e380ccec333c9d0eada5

SHA512
f3ed98775cb5bd794fe014919ef024a0d0d31ef1c26e4079aa9966093d74616f5a1239bad8208319635b58b1a7a759c21805e6893f5845b299569a2b8dd498b9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
aa6466aac33b3c1655b86bd0e85fa648

SHA1
2aa5ddff0edc17f72e72345969623c35e36cb257

SHA256
c1906c43a4635afd812c5611e4b03608c23cd9508eebfe75341fe1693da0264c

SHA512
3c4c665cb939c5fea55e3db5220d6c7eb80a15570f937f63f4bd5c4d529c97de580caccd775b651fa3996e5d111015e87a5b1b35a0a356900d5ae63962191308

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
3552b7000e1f682ebf27e5f8a1750ef0

SHA1
c36880cec54cbd170ce00cd122dc0bf724aa9d8c

SHA256
03010b7935efed6aba18825d545d0b45f59bd381db619a5bf3dc0d013b459983

SHA512
8b0bcd3b6dcd6a03fde60d461de999e184483c80e1f9222c79fb56a68e65bf924057a3d8c13c665b99694b3f11095652a2627dcff9195786c6d77376d5fd6ffe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
3a917ed66530d125b65a4425b1e4e08a

SHA1
181cd800d78cfb4a728c59024e3da3a20b46e209

SHA256
6f182e4c9fbcfecba3c31fed50f3a4575e980d448dda139d533435283d7f53dc

SHA512
8c05b09ae8f3d2270ac7ca0b600459153e94d1c559b7acd0f991177961a97d457666e11bb068d67888967a0089e1704d9696358efc6ec2ba997a156fbf674832

Download Submit