edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe
Size

2.6MB
MD5

ffa031f00ed5886b98f5deeed9845a56
SHA1

c472295112fae18d5467e15cff1a11ef4e002b78
SHA256

edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a
SHA512

9855bf6c95f07e9954080f18bb796d2ec9e0241d092167e8b0b95652193dece1f0a2970eaefd218b5442ad287aaa24d4770ba6185a802fc78311ca2d98270f60
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSq:sxX7QnxrloE5dpUpIbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe

Executes dropped EXE 2 IoCs

pid	Process
3104	sysdevbod.exe
3532	devbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8B\\devbodsys.exe"	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYS\\optixloc.exe"	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe
3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe
3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe
3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe
3104	sysdevbod.exe
3104	sysdevbod.exe
3532	devbodsys.exe
3532	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 3104	3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe	89
PID 3968 wrote to memory of 3104	3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe	89
PID 3968 wrote to memory of 3104	3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe	89
PID 3968 wrote to memory of 3532	3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe	91
PID 3968 wrote to memory of 3532	3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe	91
PID 3968 wrote to memory of 3532	3968	edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe	91

C:\Users\Admin\AppData\Local\Temp\edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe
"C:\Users\Admin\AppData\Local\Temp\edc39bc6617ef187a916c68706fab27ec86e830ad759bf59359f37a82581652a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Adobe8B\devbodsys.exe
  C:\Adobe8B\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe8B\devbodsys.exe

Filesize
2.6MB

MD5
b18fabf48baebcc83044a084d02eaf67

SHA1
4a398900972ccb06dea32f223c261e976d59486e

SHA256
76f191ccf40c19f8c4dedb09448ec214f442ddd5a42cdde6b1b8bc1c2c28ea1a

SHA512
d1dd811d2b0b09ee8c9fe549265f8ba25116000b0309a05cd779510939bfac5a157327844521140c7e1b7845584aec3239cc50d4a5c1409225a8a3198744bd67

Download Submit
C:\GalaxYS\optixloc.exe

Filesize
2.6MB

MD5
e085cef47ad8286258b2cdd2fc2c3c93

SHA1
0a21975099608a709976c9e4d448016c6369b770

SHA256
0e82373d58e819ba54b63d8ae87e11fe458f3b99520a6a9f0ae39ab76f42da81

SHA512
358488788e7fe3d9dd0262f9ae75df365e5e64dad76ead68b9426c246d2548535913ca3a238dd802b5692f3fd9454c1325b62bc502f88e163ee916cc14735438

Download Submit
C:\GalaxYS\optixloc.exe

Filesize
50KB

MD5
5a5665c7137dbb99c240364297a4a512

SHA1
382969d394b80571fb04064003528f6f7cb81c89

SHA256
43da80304f219af92d96cf484c45a88d31282f654bab20c3b544a38bc2b1bf0c

SHA512
33b15087e7796b5765f6e892f3aed8ca9515db91a47d84744d014014ed36b1a91df2e1fe0609dd04eb0f54498f460a4cf2af8d67cc9f898e606ba34323841b95

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
26c991db8a6d7dc60db7496d3ec90c2f

SHA1
fe42ae87d047f3280332e2152a7872e9552d8184

SHA256
aa10c8567762a1f812e29a294a660bab619f41496ed08e7b2cac6f7565c24058

SHA512
2f3d79dfb8344303937a159f6aa105b2423c0036e55652b87adc418848d1e1373c91b2b0229cf9615f23a693bc776930c580746e38f12d31493109807b82e8e7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
b1e540fd036c3150f5e936cad55af882

SHA1
8bed3e09e7362b19eeb28e30f3febfb262389649

SHA256
d120f5a49bcd953af689391e62c76e7e429b1d43f37e0330d6c31ce59b97cb61

SHA512
ae5716e4c17885e47310ee7872d910598c3aa5a3b2512538395f321b0468767f1015be73ae0e592af971a95ff611f9f7d46bb290b8216538d23fa57fb1fc8902

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
166075374792a826de54d6691f5ce95e

SHA1
2b496eb0999a50ffcb1ba25f7e387c6fe3c51ebf

SHA256
4d41626810dd056dc06cf596b5e962f6633182720eb75f2e8647c4d844f34658

SHA512
021b1a1c4dce8af97be4b5e0abe01c69a16c81266e787b620128218771823c9667d13b99c2334db1fefdaf8574651fc00d6697ed1989c6f89d385da037549703

Download Submit