Overview

overview

9

Static

static

3

8a54b37b52...53.exe

windows7-x64

9

8a54b37b52...53.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 23:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a54b37b52b2157d9b4db54ee42eb1c16c1bfcbe13ad4e1324d5dd8a4b602c53.exe

  • Size

    3.2MB

  • MD5

    b2aa23a9d63c0e21ca40ee9319acd429

  • SHA1

    e27c188fb31b18e217b3bdedc294cb90eec39c62

  • SHA256

    8a54b37b52b2157d9b4db54ee42eb1c16c1bfcbe13ad4e1324d5dd8a4b602c53

  • SHA512

    8271d9d5899a015b08c2d887cce8fd7a15a1f494ea2b55d345982bb1be5f64c229e3fb098889abfb431466ab93a7d5ac5d01c087efac61080b22dd48da3150fb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUplbVz8eLFcz

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a54b37b52b2157d9b4db54ee42eb1c16c1bfcbe13ad4e1324d5dd8a4b602c53.exe
    "C:\Users\Admin\AppData\Local\Temp\8a54b37b52b2157d9b4db54ee42eb1c16c1bfcbe13ad4e1324d5dd8a4b602c53.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3044
    • C:\SysDrvZ9\devdobloc.exe
      C:\SysDrvZ9\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintXL\dobdevloc.exe
    Filesize

    2.1MB

    MD5

    89a3679a3becd5dc3cce162ccb01f02c

    SHA1

    1a63700ad8dd3c481d3707a14672467e1a6293f5

    SHA256

    fce1941452b63af48cea2b4a8b97c65e29a9dbce1d0f028fa90fe8c87cbc8b55

    SHA512

    85e1d3706af2b077755c8e288eaa0bff46adc84a1839c3684ac42946a210fa59650944ba87fd3993f2db87d4368bec172fb6dc7847295fc8520b26b32b961127

    Download Submit

  • C:\MintXL\dobdevloc.exe
    Filesize

    3.2MB

    MD5

    4f4dc8b92c41ad1de36a9ad62a961ac0

    SHA1

    c666cb7051f7a85622824376ade24840dc6b3174

    SHA256

    1ad7aba0474cb7ec8a400f6848efca188a4dadcd769fe7858432705711d0057a

    SHA512

    aaf0addf28f3dc0d6df8598ca6cce1c017bd149e7631e3cf43f51211d096fc9a33fc7d4e0796ee92f38af06a36aa37a9cbf670734e962afb3272ce95c989cef5

    Download Submit

  • C:\SysDrvZ9\devdobloc.exe
    Filesize

    3.2MB

    MD5

    238db7df09efd53b0e3f11e0ebb16eb9

    SHA1

    775f7c29a00922bc170e3c7f444e36a5e4f75ffe

    SHA256

    1981c776c5b2ec37871ba7d52d2ea4252d21acc2c16fe312dd3488828743b1ad

    SHA512

    198802ab83e16dcf809ecfb32664b6a79b7ee1cb168ef6f2cf2dc766fc8bc39516bdac83d2bd5244d00e2058ecbf415d530a1ba638553b81bf5d97ceb92bf294

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    207B

    MD5

    c8d522c77f5ddef15b8f2db4a0d8423b

    SHA1

    e4a85cb23a6fbb77d4f758a2603e61ebf9cbbd6f

    SHA256

    ec0ce132a83cdaf3c19836af63c1b5553374d19d4f5b066552cf16962b39523d

    SHA512

    efc37cf4685b40a7c3c60b88fd448ad2a915997afb8fcc35167e90aa3aa447f0acf6e43fe135f1eed6203d2d865812d979bfd2867bf6a3cbec8b198a8d9fda17

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    175B

    MD5

    854c232a225269e045136916e2759f2a

    SHA1

    564348ad6adce6180bda0ec75a03a87556a3cd6f

    SHA256

    f6d944c370540b226e5881c645fb3bb8426f423859a6fa3599a4c374890a3e4d

    SHA512

    fc280dfb61ef4cdb6c7250bc52d3554656ff4c2b8bb8a26218eed7591ba91dfd372a0c63dd6321b22a7cf466002478c7ffc18acc426595ad6c45eddb10d28076

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
    Filesize

    3.2MB

    MD5

    3f9a8f8676053aa60c470b8a68e40c17

    SHA1

    8f836c028d8584cfa81fd1f13f9260565a1dd6e2

    SHA256

    909f18bceccf66c58395d05b96d94aca5489ccdfc51225f95ef2d55ffa2aa1f0

    SHA512

    e1c84c99f7073f8921c52bcbe1b2b8d35d36ee1824e5c1a712a698bad44abf7fc837b8103b2639f1d627f185fb0db38b642e6a6d6e78e715e8449094dbcfec97

    Download Submit