Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:02
Static task
static1
Behavioral task
behavioral1
Sample
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe
Resource
win10v2004-20240611-en
General
-
Target
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe
-
Size
3.9MB
-
MD5
5348da2c63a0193d370a7da78fc3a8b9
-
SHA1
69a1ebda52b6fdd73cff4b646c336410dcb6ee3a
-
SHA256
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a
-
SHA512
88230ab1ec96238f6321c5b2a6a4f5166be9da183ba4d075c5113a9187d24c685f91f8571cf0ab66f751104e36a73cb6284a6dd9b3c676316d91f4fe392d79a4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpfbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevdob.exeadobec.exepid process 1580 sysdevdob.exe 1192 adobec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2G\\adobec.exe" b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQM\\bodaec.exe" b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exesysdevdob.exeadobec.exepid process 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe 1580 sysdevdob.exe 1580 sysdevdob.exe 1192 adobec.exe 1192 adobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exedescription pid process target process PID 1624 wrote to memory of 1580 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe sysdevdob.exe PID 1624 wrote to memory of 1580 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe sysdevdob.exe PID 1624 wrote to memory of 1580 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe sysdevdob.exe PID 1624 wrote to memory of 1192 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe adobec.exe PID 1624 wrote to memory of 1192 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe adobec.exe PID 1624 wrote to memory of 1192 1624 b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe adobec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe"C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1580
-
-
C:\Files2G\adobec.exeC:\Files2G\adobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5cc5ef4d7d290241e34db344d87ddcaa2
SHA111522ebbece13d79935ad6ac540f87f8b4af1d75
SHA256d333ac5ce4c7500d1ac7913b517d6b944197cb712cad5b02a886e94dfd103bf0
SHA512469ecf60854d8db3aa33ea73d7d79da91f90c912a65e7bd05cf08e8eb8b047b018c701c3bb9ff95c407eb747eda1d2d00f3385b8713e7cabadaf267c8e9642b6
-
Filesize
3.9MB
MD5dba575ff5988a64822fbb9b2679e9550
SHA12c467244569bb98eb1f8809ef2cc59e1f83e5ff2
SHA256db26523f997216b5c2d8b1a818d81fabfc6bda24953beac4b4eb6de52355672b
SHA5125f6999e08ebffc7adde561eb239b647a0dd12b6c8de5c432572b55253acc65f64d220c61f4a4b225ac34f6ac52964e5d4300b9252603005e0ca5a95ee93cc814
-
Filesize
3.9MB
MD523647db45c46fd65b7aab98eef0783fe
SHA17555ef5be0b56b0d3b6e5d9234500047cb01cace
SHA2566db1bccff64f57515a0b4f1c15a414a6a845a82a67b66b80373afabe98461037
SHA512685cc6969f1766561d9e17956157060dcfcda7847b790a65b9a3e8279765b3f7f364eb95e5dccbddc953c7a7f12c739373e7aa273a39a81bba1483f22a7c0cac
-
Filesize
3.9MB
MD54d6e2ee4821ec834fd9b0e093dd1cb26
SHA1a7bfaa8ab526fffec3881732625b759e63c562a0
SHA2562fa45d28fbba1e0f9ee1188db3543bab215bb1dbda291e12926473d54c0958b4
SHA5125d4d9d75548c467647e5a81b18a78090ec6a576bd77df660ac366287570cf0dd4c9e4e2376b35f3bd029ac0167347ad8d7f41155851fcd2ca5a1a351748ac149
-
Filesize
200B
MD598fe53d103256420fa2d513d68954a97
SHA1cf80c03d024a220adfc015e8f524bec282b38cb4
SHA2561a5a465b62c0537d0701ffb57571b888626577134b6c55fea7e37b84547ee78e
SHA51270dfe867f5a4b726ef819914c55cfa1b309a8cc530cc850da3608683092f95b33fac1005b5740fe15dfbac92af5bc7528e654c3e6b7a5571d4d9e90bdfcb5860
-
Filesize
168B
MD54216912a12fd4011701bf1be74e60616
SHA12a20378703f8a2898dedecb637328e6ecf3981ae
SHA256c632abed9f4ef7392be05d8fcae72d718ef62819e131b6eb19a1670838b1c8c1
SHA512e7296663eb5ca8e5cb49396891b6ba8583dee057defee27836c8060d36977a6b8115cdc00b14272dc7ce338877a2068491a7cddabec080e0f6ca566271385224
-
Filesize
3.9MB
MD55fd621765922e590c4877db4fa81acb9
SHA14b3360cc9e7003cbd0473fc2e03f3f399f421567
SHA256e90d12847f1c2c37d44ee399128c4708e890e4222ac92d0ed31a2d8cf3c3df92
SHA512beec1169b41a282eff6390df53ec9930d5ffbbe70a93e318600d53ec2f182692ef12018a35447b1408eca9ade2f27cdeb3401d35b51b8eb89951f48b556897a7