Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
Resource
win10v2004-20240426-en
General
-
Target
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
-
Size
3.0MB
-
MD5
4727d9b040ee0aa624713fe75d534379
-
SHA1
037d1af38ad859a82ce3e0a09a31db3822d063e4
-
SHA256
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f
-
SHA512
e73b2a67e39a39f15edd8662fb46dbd3b8ed1d710a398b86f1576038c4a8e266c16c37661c15dff480cfe2079c1431a4624f3096c6db16ed5297e09b8eb92f13
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNX:sxX7QnxrloE5dpUpnbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe -
Executes dropped EXE 2 IoCs
pid Process 2892 sysadob.exe 3180 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDF\\devbodsys.exe" 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBT1\\optixec.exe" 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe 2892 sysadob.exe 2892 sysadob.exe 3180 devbodsys.exe 3180 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 100 wrote to memory of 2892 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 85 PID 100 wrote to memory of 2892 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 85 PID 100 wrote to memory of 2892 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 85 PID 100 wrote to memory of 3180 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 86 PID 100 wrote to memory of 3180 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 86 PID 100 wrote to memory of 3180 100 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe"C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\FilesDF\devbodsys.exeC:\FilesDF\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD534bd8ff991b1427aa83cc59b77d0487f
SHA11775fb0e77f2b1b201917c49e409123372df9167
SHA2568403bbb0bac4da664de516bbb70dba1484985a13d35a0b02c2b798b94ccd1eec
SHA5125ad1d34933d6a9cead5a8c6dade3c65e64d2de098018614533d08a57b36f862dedf6faf5cdbf1678c96c8a779ddd2da5af6f25798fda1194686676872e35721e
-
Filesize
3.0MB
MD561205a52d1fb2275d3f613443da4ed2a
SHA1b6a4f3195351894f640735d0747f69001cc78020
SHA256c0dea8a712ac781bdbeadb7f0aa55d69fb7356f72e91e6437a618c940e70580f
SHA512231a7f118e5f500be9f42d0aae8c695b8fe6f66c9716c77f19cf2f20c55d14ecba65fa96503e6321378841a5a3dc86dd4683247c189df7bf45c02934a3db09f2
-
Filesize
2.1MB
MD5a56fae15a80787a59c9bedf0106062cc
SHA1bbdd030ffa6b1dfbda5043b91c6c830234920d11
SHA2561c2fee2f7e854c3626515734dd151bad7ba8ed6f41f80ddf163ef7f879061a04
SHA512a75b176e5c66bfb5750cf74c1303bb1f1e4fbfb8c03206aa2d9c92defc7ea12d3f83e6ca1c4dc52fae15bf7d1b0fa7ea4b2f79399783d136f52c750cc8a8e568
-
Filesize
2.1MB
MD54a1954c42e46fcbf028a233566c49b48
SHA1922ef9f8c6ec04beb20197d07fba488824282fdf
SHA2561f076754fd46cca75df8075712d1e3b6b29e5d1839d34a86ef0e69051e8bdafc
SHA51269e456380f64b9b3c4a06fc41900b2b041ba898a747f88ffaa0388fb5a3a6402eb3745505837451dc69bc490311098c8e08bdb534e76ef74596f3de17a73a057
-
Filesize
421KB
MD5a778504b8233a4b8ea8eb044d4df2fda
SHA16334e92e24c34f04c82a3f267e48475c0ce56126
SHA25644b912a70ebc6be994e4cdbfc57c7ee19280dd8572279999b308ea1e9c3f8276
SHA5120f1b70794b94df3e7c8e1e653809b9f38c0db4d6bb5cc4d0433d91c1f26640633490f7a6e1b735e637bde5dd47374b8aaf070b0b3601c63db8dbd8b25a023e68
-
Filesize
202B
MD5b123e6132ea5745d9059626c6b00ba09
SHA14d2b7adb6236521efed53b4aa9f8288790fc785a
SHA2568aaae82b17f930d33426ed5b5f8e82557a3a0587a8b0c0e47aa98e28eab070a4
SHA512398ac883e90d176ef67defa2609bb7fb205b11c6c6a9d079ff49d27aaed341342b9ffa9bb622a5a7826a1ba675b192dbffddf70f8ad3da3e0f5439c6eb8746d5
-
Filesize
170B
MD57085bbdbc603720c906d00421dccc9ba
SHA15bce15027fd96422971c7ad6ee9336ceaf6e7d38
SHA256d1d37ca20167d2ac77c888dedc9e9fbd8eae286b8556b63c73e21cb7287e5000
SHA5121dac416c542f73e95946bbd8cb90abb0cbdefd0f26cb0fe5df2571c76164c13e28227bc86048610a3356b44a8fb4f677a9b961fec0f907e13cabce1278ae1620
-
Filesize
448KB
MD5f226324fef5c8a829e14c9190ee5925a
SHA16fb65aec2773479b7c53956c072a791d648a770c
SHA256aa6ae7c96b8893a0c5bc7b8557ea1a3262d6ec6cbb7fe1049bc7a7bb19e09661
SHA5126538e42b761bde05883732f4f4f706bc3275a4d7bc3b72a68feaf5614fcc56f533adbac2c8bf4b5a0790beb7c4315a8fb0cd95fb85e7a6135eb3c2e2ecf59644
-
Filesize
2.1MB
MD5fa276c3d1d5ac43b61751c9099104d23
SHA1ce5a9d4d236fcf4e932d69470d1c95bbf1bcfc05
SHA256f26a82fa9cb5762be9dd7d6cfad70e2ad63ae0cc3162eb4661356ad414463849
SHA51222525f0452338af3505679cbc5aa23e1d5c929aa5fd0f4ffcc869e8818b74d2326d1405121b9b35ce6adbb367df849e194c7e14cc04b94ddf56ebcc2be8c98a2