Analysis
-
max time kernel
151s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
Resource
win10v2004-20240802-en
General
-
Target
4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
-
Size
3.0MB
-
MD5
d128d026bfe11969c9b706abecb160e5
-
SHA1
5539a6d5737d1bdb80b49c981730d87d17540f4f
-
SHA256
4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03
-
SHA512
c9412c68a601f3ff7795726c8eeb0739b4ac35a73bb14e67883a5b16bb229b3cb7ffe743d0fabb1b0d0234be5c552fe055f8625b803722565bce7d2dae80738f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8:sxX7QnxrloE5dpUp9bVz8
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe -
Executes dropped EXE 2 IoCs
pid Process 2952 sysdevdob.exe 2096 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIY\\devoptisys.exe" 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXR\\bodasys.exe" 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe 2952 sysdevdob.exe 2096 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2952 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 29 PID 3004 wrote to memory of 2952 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 29 PID 3004 wrote to memory of 2952 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 29 PID 3004 wrote to memory of 2952 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 29 PID 3004 wrote to memory of 2096 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 30 PID 3004 wrote to memory of 2096 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 30 PID 3004 wrote to memory of 2096 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 30 PID 3004 wrote to memory of 2096 3004 4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe"C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
-
C:\FilesIY\devoptisys.exeC:\FilesIY\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5aa498458f049bbc72ef431f3be852dd3
SHA1f701bba185cd293460953de1eec1d023b50ad411
SHA256e4139a3c30f050adc371d9da65d69ffa98504b2c97ab162d76a4f2c1e6aff0b3
SHA512c7b254380a468b47f131882ac7a9a2f2bc4b9a695e2835bde2c0e68560343290e5b1edd4100304c53d1f8855a03a4a6e2815e0ee82ba95261251ca90e19cac72
-
Filesize
3.0MB
MD5369273e39301391b1be13b014a8459b6
SHA142a705640008b59995b7da93839c3b3257e27e82
SHA2566a5501bc88c4677543b88aecb476f4432411a6a18951f8fea8a3673e3b2a9893
SHA5125404df8dab06d4ae4f635b16a59198d116bc687a712f742c836a6a49734db1460b06d703f1b8b2604ce4b6d081d586dcb4ea8e9a86d0c4e504cb99c24a018faf
-
Filesize
407KB
MD55380f74ea2c2f0e34a1f2d9ccb857f55
SHA1b020760eaaba2ac7ff6f11d27e323603bc96312c
SHA2562c03c8d3a459d01a74b56df8976d2550c05789af7cdea045ac754a693cea268a
SHA512748ac044050b51e6ab779bad587264315bbd90b925523f8d97f7e5429478206c56603a71bdae178f96cffb7c02a553f5a97bf26b35981d1a5865a8e4f6ba7d38
-
Filesize
173B
MD56612d69708b48b68efaa3ec4512ab2e6
SHA1e42d40e9371e7c9b6896550136df111610bcefd5
SHA256f93ffb6b7fbc0060c4d95d935af04f943ce05776cea9cfe1120f4d680fd25a0b
SHA512a2274df6f1313201ea59a20684851087e6df0cf34d6eac534fca9aa9be8fdbf2970575cad090ab75f8cb67bd010767d6d7df1a8ea3063bf25865ba05d6061d64
-
Filesize
205B
MD51af46be8614c8bd783b5d291f00368b8
SHA14f6b4e3ebb6629e610cd77075486bae1a71fc1d9
SHA256626d456ff5b97467a4586a78170c3854e323f3cc56a6d9d4d1f7d08063c3d60e
SHA51205334c2c9be73776f71a6734860772cc34c978bf007339e009465bcd14fd858b2b9781b2d2390ae8d655b36f467af2625e49e812aff9b3de234987f63087411d
-
Filesize
3.0MB
MD57e04a32b6329f7c869e6b8c2c22c0fdf
SHA1d4bab3891b77c48a83a16c5f5f8f623c5737a8e3
SHA256700fb5ad9330675c53e06d7e33f2a23e8e5f6c53dc7b51f4ccc7d4013995d950
SHA512a5eaa73676bb34fd90bc22f8ac53ca75056048c85a30cc21ce0074c43c8295117124d2f0a3c7f8934b52e66e3f4f1a58f214b990445b3bbe5c83d72ce3721f80