ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32f

Analysis

max time kernel
119s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
Size

2.6MB
MD5

eff7b4d48313f3e470f61bdfa5194330
SHA1

325331a07cf4b21b447d2acb3850a97af5773759
SHA256

ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32f
SHA512

375548ec6177b7639bbfdb3ac022ea08345899239345f5ff0c9ed9dba127d0bbf348b83fc3bfee2fb6267d8c3e11087e0ed2b8d7f81654325c4aae4c47f4aac6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe

Executes dropped EXE 2 IoCs

pid	Process
4192	sysaopti.exe
3356	devbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHC\\devbodsys.exe"	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWX\\bodaec.exe"	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe
4192	sysaopti.exe
4192	sysaopti.exe
3356	devbodsys.exe
3356	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4192	2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	87
PID 2444 wrote to memory of 4192	2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	87
PID 2444 wrote to memory of 4192	2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	87
PID 2444 wrote to memory of 3356	2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	89
PID 2444 wrote to memory of 3356	2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	89
PID 2444 wrote to memory of 3356	2444	ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe	89

C:\Users\Admin\AppData\Local\Temp\ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe
"C:\Users\Admin\AppData\Local\Temp\ccc1a8c837a376ed6b76ea79e3a93ed41e989246ca86a95b6b7cb31a27d3f32fN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\UserDotHC\devbodsys.exe
  C:\UserDotHC\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintWX\bodaec.exe

Filesize
1KB

MD5
854d7024d6a3690861a5e13adeeebc56

SHA1
2ac1cc8c12d24dba6b5be96438f764753e2534af

SHA256
7bee14ad9ce88140df4a16649b935961e01da085178d766133129df3d97623d4

SHA512
83e4768567adea2aa5df900d4c232d5f8ccf5bfaeb8524a7641aa8d27412adf71a2c90d307b2a7c43f43dbc803b2ee2754ce4035888a928c3543f1c8912422a0

Download Submit
C:\MintWX\bodaec.exe

Filesize
2.6MB

MD5
26dd36abdcfb8b493ea5fbcb6b1248ad

SHA1
7645bf428c33f72b02e7260a7ee339f4c93c86d8

SHA256
0c873eafe68360fb87762b9b71623bf0b7d84b4bcf21faa2c4791a5f272d67ab

SHA512
071f0062993c3fdcdd2f11b2a642379c3134ecb03bfdaecdfade469c873f8e1dc664d0d1e6dfd09a99746824f17bf011c5b4656594d0e5caa251f4f81020c216

Download Submit
C:\UserDotHC\devbodsys.exe

Filesize
2.6MB

MD5
cebec7ebb873af9b28f6a162507e96a3

SHA1
6ee807f4f78a9428245aebbac100ab53ecfa7fbc

SHA256
7e25c5c3dfb8280eb06c006fc20a9744e04f6daf4232e37746df01db1e0310b9

SHA512
1e6c89beb5b2df73497ddf038645b74bfbcabfca1a0c3a743c2f1be2036291e5a41b5d6c75fdd53cb752e97f8aaea715bd8f69247421d5e8daafad05b079d65d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
5f4a79b769b013766d2c91d903b339d4

SHA1
5f707b9c52716fb66bbad87c5b1025dc188adf63

SHA256
c100621a3bde495c5bc91390678ccbf9a1f9766aa18606f6823bb3eea9ed2d54

SHA512
eea56eb457c491ceececd35fefc23178ba7d9b46503b11498f519f2af665b5e0eb88f8c47d69e9ff019efc2f9d209c6e5897df0c86d1148b83e5910ae7686cb7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
b3861377d940a7e420ca0ac52d7cac88

SHA1
d264b47faba522aed8af590ff5626a282ad5f20b

SHA256
ddf553f8723e93fb88c0fb9b6e8d10a33b9658092ea242c953e6a18fce12b73f

SHA512
767e93e44b70dfed602199f68ca7059162b9ba1f2d4a2f026f28441f4305bb5fc6df7c9bfe8f934a4f49ff2e12c2f80dc69f7b9a3b4fb8068ef9a0968f7dbd76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
92c6754b8eaf8c4cd80f700f4a46005c

SHA1
5ee36fc0ce2157273a40365dc0a99f11ad066775

SHA256
ab809d8cd932a3b65c81fe9498904ffbfbaf0bf26ef0ab89179b4c4de1a31768

SHA512
ce092474c70edb00fc8126fa628f0970d7bacb53e833641d26d81c9a9730dd4b04e184a619debc4e62ed699ee93ccfc145e33ee1ea88239782bf133c46450718

Download Submit