Analysis
-
max time kernel
149s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:36
Static task
static1
Behavioral task
behavioral1
Sample
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
Resource
win10v2004-20240508-en
General
-
Target
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
-
Size
4.1MB
-
MD5
05f4d5e7cd958137428debf26c8fbb32
-
SHA1
a65845a9094d8e7f04011f7cbefafa417707eee6
-
SHA256
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30
-
SHA512
53f28c3295a3d8045a3c420d2cbc307e7246b79b41d2331991d793be14546bc0d6e85426e283c2a00747080c0ebf6739924ed73c6b848c2dbcacaf3a27703a05
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevopti.exexbodec.exepid Process 3300 sysdevopti.exe 4000 xbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv39\\xbodec.exe" f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintL5\\dobdevloc.exe" f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exesysdevopti.exexbodec.exepid Process 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe 3300 sysdevopti.exe 3300 sysdevopti.exe 4000 xbodec.exe 4000 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exedescription pid Process procid_target PID 4052 wrote to memory of 3300 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 89 PID 4052 wrote to memory of 3300 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 89 PID 4052 wrote to memory of 3300 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 89 PID 4052 wrote to memory of 4000 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 93 PID 4052 wrote to memory of 4000 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 93 PID 4052 wrote to memory of 4000 4052 f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe"C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3300
-
-
C:\SysDrv39\xbodec.exeC:\SysDrv39\xbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD54527b53d61c96c5bf6113c8ed376548f
SHA1577d097573e3be63c88bc36d28ca050ddee677f0
SHA256753785a00bb0a2586799f4a65703d3fa5608dfd2bce184c40688ea570b301c37
SHA512a12c68a5b52219e6792599724e5422fe10003db0d36d0f4a8c996857229a3e01966bb2cd96215b915b04c1b78698469941a485ae60201fa748a4b5f0a9d88ab0
-
Filesize
4.1MB
MD58e3f4c8aeddc2c5e699ae33dee6b07bf
SHA163ac5e9d925f9339945c1f7a0b31b62e2aec7570
SHA256621e6c81a89c7c5ab293b56b08d182017de98a75eaa0bf5fef287a91b5f68028
SHA51212545a5b91be575930f33337e659181f11da52b6c66dbbf4272f46304632de93ca09503074c3f5a0d8bbe2ab3fd85a7f53b6dbc266d85809cce46618a6f5506b
-
Filesize
4.1MB
MD53e560b728c888e2569c4625ca6ac8cda
SHA1e13e6db2928e37e861e27fa38ad6ac13ae33aa97
SHA2563fd2dcfff2b4667348bdb20afeda30185dfca86cad40289fe896e7a2bd3e71c0
SHA51239aa829fbdd5166ec8944afd89ca34212169691fafab660a7da49846f9c540fbcf0149f5af23001583cf8ce80512756542989af65d5c255112505fd6394b7f4c
-
Filesize
205B
MD514d9b934ccc13df15d55fd5a1fe540af
SHA17dfbeba25f770b98e5aa392e7cc8ee43144b19a6
SHA2565eb7b0a4cf782c31ecb752d60771fa8444d2a39670a456037c1165f6179f1849
SHA5122b21a253a256b33de35d1f95f6339b0e12eeae41a3023e1fb471218ed797fe650d7b625000ba07cbca51f4f9b8fad6f11b7d302042b4107839328c05377c52a8
-
Filesize
173B
MD5a8633a058dc0051db259c9d06fbc8b14
SHA1ad86f493ee775cc6114f90e80e8d66574e64cac7
SHA256d327cda432675aad8410408501aebcbd6aa4295e0aed4c589cb1066c3e07286f
SHA51279e92a6ed0eda0dac7f97a00debb677efa2e4b04ea82eddfdc06acf7ba4d63b56d5bed08a24a81d7aa04498305dcb6903b6957a96a218a585541e337ad51bd85
-
Filesize
4.1MB
MD5d7fc32b8b0b03b155b387512e204cd9e
SHA1758c3d521367af1bb69497e6d510bae3695f7bfb
SHA256dea2f836c827402647a777d0c32dc35bc759b3dd9d6c62ad0b397ad59f13fdc3
SHA51277c9bedd3a67cb47af22a3041d5240edb11917c997afcb50b94c2007e948bbacda966feaf25a81f196f95474e255c8457729d140e09716279139e633404b6bfc