Analysis

  • max time kernel
    151s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 22:06

General

  • Target

    4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe

  • Size

    3.0MB

  • MD5

    d128d026bfe11969c9b706abecb160e5

  • SHA1

    5539a6d5737d1bdb80b49c981730d87d17540f4f

  • SHA256

    4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03

  • SHA512

    c9412c68a601f3ff7795726c8eeb0739b4ac35a73bb14e67883a5b16bb229b3cb7ffe743d0fabb1b0d0234be5c552fe055f8625b803722565bce7d2dae80738f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8:sxX7QnxrloE5dpUp9bVz8

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2952
    • C:\FilesIY\devoptisys.exe
      C:\FilesIY\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesIY\devoptisys.exe

    Filesize

    3.0MB

    MD5

    aa498458f049bbc72ef431f3be852dd3

    SHA1

    f701bba185cd293460953de1eec1d023b50ad411

    SHA256

    e4139a3c30f050adc371d9da65d69ffa98504b2c97ab162d76a4f2c1e6aff0b3

    SHA512

    c7b254380a468b47f131882ac7a9a2f2bc4b9a695e2835bde2c0e68560343290e5b1edd4100304c53d1f8855a03a4a6e2815e0ee82ba95261251ca90e19cac72

  • C:\LabZXR\bodasys.exe

    Filesize

    3.0MB

    MD5

    369273e39301391b1be13b014a8459b6

    SHA1

    42a705640008b59995b7da93839c3b3257e27e82

    SHA256

    6a5501bc88c4677543b88aecb476f4432411a6a18951f8fea8a3673e3b2a9893

    SHA512

    5404df8dab06d4ae4f635b16a59198d116bc687a712f742c836a6a49734db1460b06d703f1b8b2604ce4b6d081d586dcb4ea8e9a86d0c4e504cb99c24a018faf

  • C:\LabZXR\bodasys.exe

    Filesize

    407KB

    MD5

    5380f74ea2c2f0e34a1f2d9ccb857f55

    SHA1

    b020760eaaba2ac7ff6f11d27e323603bc96312c

    SHA256

    2c03c8d3a459d01a74b56df8976d2550c05789af7cdea045ac754a693cea268a

    SHA512

    748ac044050b51e6ab779bad587264315bbd90b925523f8d97f7e5429478206c56603a71bdae178f96cffb7c02a553f5a97bf26b35981d1a5865a8e4f6ba7d38

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    6612d69708b48b68efaa3ec4512ab2e6

    SHA1

    e42d40e9371e7c9b6896550136df111610bcefd5

    SHA256

    f93ffb6b7fbc0060c4d95d935af04f943ce05776cea9cfe1120f4d680fd25a0b

    SHA512

    a2274df6f1313201ea59a20684851087e6df0cf34d6eac534fca9aa9be8fdbf2970575cad090ab75f8cb67bd010767d6d7df1a8ea3063bf25865ba05d6061d64

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    1af46be8614c8bd783b5d291f00368b8

    SHA1

    4f6b4e3ebb6629e610cd77075486bae1a71fc1d9

    SHA256

    626d456ff5b97467a4586a78170c3854e323f3cc56a6d9d4d1f7d08063c3d60e

    SHA512

    05334c2c9be73776f71a6734860772cc34c978bf007339e009465bcd14fd858b2b9781b2d2390ae8d655b36f467af2625e49e812aff9b3de234987f63087411d

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    3.0MB

    MD5

    7e04a32b6329f7c869e6b8c2c22c0fdf

    SHA1

    d4bab3891b77c48a83a16c5f5f8f623c5737a8e3

    SHA256

    700fb5ad9330675c53e06d7e33f2a23e8e5f6c53dc7b51f4ccc7d4013995d950

    SHA512

    a5eaa73676bb34fd90bc22f8ac53ca75056048c85a30cc21ce0074c43c8295117124d2f0a3c7f8934b52e66e3f4f1a58f214b990445b3bbe5c83d72ce3721f80