f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe
Size

2.6MB
MD5

9ece46260df281657cf0a581775ba29d
SHA1

69c98453cda8039971fec87eec71d64ebd4433d6
SHA256

f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59
SHA512

237fa523cd9631360bbc170373ea844c94a4021ef67fd109122fd1f4594214f55345867ca2b2286f61661d67b65c116510549a37a2727d771c6f07ec0a62e820
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bS:sxX7QnxrloE5dpUptb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe

Executes dropped EXE 2 IoCs

pid	Process
1284	sysxbod.exe
3552	devbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIW\\devbodsys.exe"	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNJ\\optixsys.exe"	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe
2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe
2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe
2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe
1284	sysxbod.exe
1284	sysxbod.exe
3552	devbodsys.exe
3552	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1284	2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe	87
PID 2908 wrote to memory of 1284	2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe	87
PID 2908 wrote to memory of 1284	2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe	87
PID 2908 wrote to memory of 3552	2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe	88
PID 2908 wrote to memory of 3552	2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe	88
PID 2908 wrote to memory of 3552	2908	f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe	88

C:\Users\Admin\AppData\Local\Temp\f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe
"C:\Users\Admin\AppData\Local\Temp\f58586414d8d3bc891b55d3be52e418e3214036d3d39d42f9d29e56c3b4cee59.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\SysDrvIW\devbodsys.exe
  C:\SysDrvIW\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZNJ\optixsys.exe

Filesize
2.6MB

MD5
47d4b91bc1c28427101b5cc68cc3b337

SHA1
45fac5088a4ffd8c38d6795d4eab72e43b582a09

SHA256
2bcdecfc0c7703821196cc4da204fbfac77995b4e615705c7b0a40bcf0642ba1

SHA512
dfa4eeeaf77e5bbe408536576e8b8da406bda717db159b382646f51108ca78999a59478770b52aca909f7a50d042d9e6bd5a1dca7837f41951161fb1271508af

Download Submit
C:\LabZNJ\optixsys.exe

Filesize
2.6MB

MD5
a984504c33753ba489beeedf34b9e967

SHA1
6c7e6e19684996f8901cb8a9b267f3eaecacf75e

SHA256
d461fdd5efbecd377cbb2d6c1b5c6a80c08af1ddd71842ef79262f824b0411a6

SHA512
2f7256ed07a042e7e435b4bcea4066dc3ce2ff3b07cec6f021069bef03f11ce00b20e90e1b100a25ef15d4224d10aa4315504dd0f32ddaaacc137cbf3414cd9d

Download Submit
C:\SysDrvIW\devbodsys.exe

Filesize
2.6MB

MD5
2bf25661faa6c649ca14f015840f87db

SHA1
93ee6a75b44587d07152e450f4c235d5e0fbf84d

SHA256
4cf3cd144ca8dfb8dc023d96e0c9dd0643a395da527908b9e83c3e06de22e148

SHA512
f72e321e6b92198570efca61efc310155e91139369ff4bae7ffcff057291d05bc014d521515044e189367c30096f23ea20b81e44ea348e3bc59f2edb4353b11b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
75417847c8d2b2511903ae3289b1b9f3

SHA1
fade094533d6e5bac7e64010731af4a0f72443a9

SHA256
1e5b3222309ae1150cd8a100f5f9663e2b185e2be5f5baebaeed9d9d02d30d4e

SHA512
8f2bee464c5bd8999f9439ff2834f6b08f3e72279fd3384c2229ac96d6e1c1aed7a5fb3228d9c562a6db07d50c32d04affad6731582c80da79d8e93909ca16f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
2d57c01145acfe85e5f4f652b095ba84

SHA1
4e91932711c7ae0e08de16fbcde1eae2bd15f802

SHA256
ea85461d704bfe7a026151e8dfe0a5c857e456e9381685ebe145b0996837ab82

SHA512
9e26a7b1f9a75bcd8a6eed3447edfd2153377b6dcc4f25a4ba508f3db284d8163acfa8db32933d4f4076a8f5205df83506b054e474252c36cec849d50b0cc878

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
2.6MB

MD5
9da328b430cf366c06b12a742cba03cf

SHA1
31b666e3d39d726848fd577f38979175c09ee59d

SHA256
dd33f6a26930ee846803ba1bc381abc2a146f4366646532da1a20c2cc2df8432

SHA512
cf840d71a1cf7081907ac64e5d3f9487eecbe40378e33b6421754f8cb9c230ef1f6e46c62429a05766d7fd66902c158fd232497b5b29486b2487959bfc8f8dac

Download Submit