142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
Size

2.6MB
MD5

5269a668a24af4644abde5c875624ab0
SHA1

5ed479d2f3024c2a3ae04ad65037c62bf4b50eb9
SHA256

142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032
SHA512

ccb2011acd0d8aaa7a60bcc34e866ac0275f1ad97596e9acde3c540a248c9230f535b633482f1d588d96a6d986fe6cb92973998d1103aabbbdbdf1ccc2462a88
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSq:sxX7QnxrloE5dpUpSbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	sysaopti.exe
2948	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUU\\devbodloc.exe"	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDB\\dobdevloc.exe"	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe
2108	sysaopti.exe
2948	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2108	2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	30
PID 2932 wrote to memory of 2108	2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	30
PID 2932 wrote to memory of 2108	2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	30
PID 2932 wrote to memory of 2108	2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	30
PID 2932 wrote to memory of 2948	2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	31
PID 2932 wrote to memory of 2948	2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	31
PID 2932 wrote to memory of 2948	2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	31
PID 2932 wrote to memory of 2948	2932	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	31

C:\Users\Admin\AppData\Local\Temp\142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
"C:\Users\Admin\AppData\Local\Temp\142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\SysDrvUU\devbodloc.exe
  C:\SysDrvUU\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZDB\dobdevloc.exe

Filesize
21KB

MD5
88b9fcc1cfac313272c4be5161cb5742

SHA1
b613d4a5667f1343e56069d8f33add453c5ce1d1

SHA256
e296c820e3ac6144d1824e7d556771a88f168d7d8d966fb283d534236a8244e2

SHA512
281abb9f1f628febd999e572f771e33a1c8aea4e98c05a3ece3491e7b3c7556280c42726fc3a081aebe00eaebc736ca697de17370c4ee231850651dbbff0ebe2

Download Submit
C:\LabZDB\dobdevloc.exe

Filesize
2.6MB

MD5
19a2d5e3ef403adf6b2c6f562e7ab0f5

SHA1
89b89f172bc70a2cae41aee30fb7bcec1923753d

SHA256
dbc4a7de06c28858f33d706290e4285c57a21854698dc556eb67e7c176274e92

SHA512
4798021e83e02cef92feae5fcd229fc02ae514115732904e984148139deffbb15fa6828fdc339cbc989beb49946c46952f8fd072533c1ee229529260169ed808

Download Submit
C:\SysDrvUU\devbodloc.exe

Filesize
729KB

MD5
6a54b881514ab34a812af9c9d4e10e26

SHA1
12f7ae7667e4f98b8355f55d4f79c93596a37a06

SHA256
48d177b8fdb289fbcf036d613c95a1c0f72fc92d4863838dfad9e36649f167c1

SHA512
a4bde7c079b0923676bd6674e64043a10ad35f3f11f8c6570a0537bd30fa82eff85a8278d4e75a02e11543cb8a1ae449d3ae033c6d3cae6a317dfa68317b70f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
df0310a66d0726027e818b03023a2905

SHA1
ab865ab6762bf44fe87ea4ed4e25f6f76418411c

SHA256
c91298d76287e6e9c94fd373ecb53d67c24b574c216b598ab9d163de75a1edba

SHA512
64ca21383d4d972bb3cafdc6adbe7e68c02c92b92e71d492b49efdcec3849275aa8865feb53b867d1e12245595e6d5b0d5ec15c3062b70abd7a06c22e0d07ebf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
47e7c2dd7cbe4de46d3dbeb18faec902

SHA1
7585a7fb516e0ef5f53eea80b29b1ea27f8fd624

SHA256
a0e5e409c0449e0990f91d2f5384315d7216e1c9157fb5905e6c4682cc1a131a

SHA512
2278e54b3e83153dea7785c8bb56785bbfb9270c6084863ac3b952a2e9ba6e82668fa4188be9955b50d111ef1a3816c5f33ca7e8f2f058510d494748a6d3c858

Download Submit
\SysDrvUU\devbodloc.exe

Filesize
2.6MB

MD5
0069ab8c7b125d3b3fbb13e0fd57fc3e

SHA1
9d71c709fa6b8883bc214da5d2fd0bf99d48fdc3

SHA256
81ce1dd6c32d6f96e1bbd9d874fef01845aa97c10629194e3b9494aa8bde727a

SHA512
64f6bd92095feb91d199cf1ed61eb0ec0467f8e0282c20bbcdd713b0b5a20d491fa6c9a935754ced48d64c28731f3466af721dd2bd7353fc79600af671ffdbd0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.6MB

MD5
47404939267de412db153df6aa639a85

SHA1
60e252c3bac6198e4e81a6bb98277715fd7e9bd0

SHA256
34832a4aa91e7a6cfabb665f06d2785190e1865188ef51c7e8944ea501307df8

SHA512
b8bd2fd8d3b8f444d9c0e4d92833c38c224383fe0f3758db5016d5eea050928afd75d70e7fad11f08ac8be5ae2a8344c2c9f4b87e453ed68609e255ca223396b

Download Submit