Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:36

General

  • Target

    f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe

  • Size

    4.1MB

  • MD5

    05f4d5e7cd958137428debf26c8fbb32

  • SHA1

    a65845a9094d8e7f04011f7cbefafa417707eee6

  • SHA256

    f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30

  • SHA512

    53f28c3295a3d8045a3c420d2cbc307e7246b79b41d2331991d793be14546bc0d6e85426e283c2a00747080c0ebf6739924ed73c6b848c2dbcacaf3a27703a05

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
    "C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3300
    • C:\SysDrv39\xbodec.exe
      C:\SysDrv39\xbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintL5\dobdevloc.exe

    Filesize

    4.1MB

    MD5

    4527b53d61c96c5bf6113c8ed376548f

    SHA1

    577d097573e3be63c88bc36d28ca050ddee677f0

    SHA256

    753785a00bb0a2586799f4a65703d3fa5608dfd2bce184c40688ea570b301c37

    SHA512

    a12c68a5b52219e6792599724e5422fe10003db0d36d0f4a8c996857229a3e01966bb2cd96215b915b04c1b78698469941a485ae60201fa748a4b5f0a9d88ab0

  • C:\MintL5\dobdevloc.exe

    Filesize

    4.1MB

    MD5

    8e3f4c8aeddc2c5e699ae33dee6b07bf

    SHA1

    63ac5e9d925f9339945c1f7a0b31b62e2aec7570

    SHA256

    621e6c81a89c7c5ab293b56b08d182017de98a75eaa0bf5fef287a91b5f68028

    SHA512

    12545a5b91be575930f33337e659181f11da52b6c66dbbf4272f46304632de93ca09503074c3f5a0d8bbe2ab3fd85a7f53b6dbc266d85809cce46618a6f5506b

  • C:\SysDrv39\xbodec.exe

    Filesize

    4.1MB

    MD5

    3e560b728c888e2569c4625ca6ac8cda

    SHA1

    e13e6db2928e37e861e27fa38ad6ac13ae33aa97

    SHA256

    3fd2dcfff2b4667348bdb20afeda30185dfca86cad40289fe896e7a2bd3e71c0

    SHA512

    39aa829fbdd5166ec8944afd89ca34212169691fafab660a7da49846f9c540fbcf0149f5af23001583cf8ce80512756542989af65d5c255112505fd6394b7f4c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    14d9b934ccc13df15d55fd5a1fe540af

    SHA1

    7dfbeba25f770b98e5aa392e7cc8ee43144b19a6

    SHA256

    5eb7b0a4cf782c31ecb752d60771fa8444d2a39670a456037c1165f6179f1849

    SHA512

    2b21a253a256b33de35d1f95f6339b0e12eeae41a3023e1fb471218ed797fe650d7b625000ba07cbca51f4f9b8fad6f11b7d302042b4107839328c05377c52a8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    a8633a058dc0051db259c9d06fbc8b14

    SHA1

    ad86f493ee775cc6114f90e80e8d66574e64cac7

    SHA256

    d327cda432675aad8410408501aebcbd6aa4295e0aed4c589cb1066c3e07286f

    SHA512

    79e92a6ed0eda0dac7f97a00debb677efa2e4b04ea82eddfdc06acf7ba4d63b56d5bed08a24a81d7aa04498305dcb6903b6957a96a218a585541e337ad51bd85

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    4.1MB

    MD5

    d7fc32b8b0b03b155b387512e204cd9e

    SHA1

    758c3d521367af1bb69497e6d510bae3695f7bfb

    SHA256

    dea2f836c827402647a777d0c32dc35bc759b3dd9d6c62ad0b397ad59f13fdc3

    SHA512

    77c9bedd3a67cb47af22a3041d5240edb11917c997afcb50b94c2007e948bbacda966feaf25a81f196f95474e255c8457729d140e09716279139e633404b6bfc