Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 22:06

General

  • Target

    4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe

  • Size

    3.0MB

  • MD5

    d128d026bfe11969c9b706abecb160e5

  • SHA1

    5539a6d5737d1bdb80b49c981730d87d17540f4f

  • SHA256

    4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03

  • SHA512

    c9412c68a601f3ff7795726c8eeb0739b4ac35a73bb14e67883a5b16bb229b3cb7ffe743d0fabb1b0d0234be5c552fe055f8625b803722565bce7d2dae80738f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8:sxX7QnxrloE5dpUp9bVz8

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff631d814caa7e610f4efc21b980240b85e986c0328880152de722b87da2c03.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:976
    • C:\UserDotWS\devbodec.exe
      C:\UserDotWS\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2724
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3056,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8
    1⤵
      PID:5084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\LabZQQ\dobxsys.exe

      Filesize

      3.0MB

      MD5

      6c648c3f557a678b5fd5ef5c3b230f5e

      SHA1

      107f3724dbe68c0202a699b5300de8024d4f2d6c

      SHA256

      e01f8b2c4c11bb4190fde56ef3bcb21427e5cd47012227b0959dd31e567ebb2c

      SHA512

      5a9b4f7137a91d3cdc2c2a892713630c043df0d5dbe0551f0e59084f4692f951286b2c1072897d6def6eb00a5572d7ebaf730024ab769531c6ff604d3cc8f11a

    • C:\LabZQQ\dobxsys.exe

      Filesize

      465KB

      MD5

      2986cdd2de584a1ddd0163579bfb8bcc

      SHA1

      1d371801a535fb4da3e6791d232a6afa57bc9af4

      SHA256

      e5593e6f73875bd630f13ce5bce074558eecbca8c7799d9b6605b32569ac40d1

      SHA512

      be231c8a43f96d5713c31ede91dfd0172f748dd6f276903cba5058b7f4b1f262be7942a908043d57a4066989ec4caff81e5d85892d99b87ff91505b41b920916

    • C:\UserDotWS\devbodec.exe

      Filesize

      308KB

      MD5

      ecb86671afdab56d722dfdbaeb1dd77a

      SHA1

      c42c6de98e313d5aebd3a56a590a090001722241

      SHA256

      061f4d2321acb2815360a70045dd2e0e9dffa26d8a1cbbbd53e3975a2390366c

      SHA512

      91f978d46ae705fcf026ca97f2ee273c416495cc0b6d41178aabb563e1b674914d8f34cd9e07b832780c89ab0ac2d5762e9299d9c73c888132f2fda05dcdfe5d

    • C:\UserDotWS\devbodec.exe

      Filesize

      3.0MB

      MD5

      3956a95ab46e533a82cf09b6e2c81a66

      SHA1

      53d0d0d1d0835a958f61c58308cba3952ebee74b

      SHA256

      45433f44e39508accbb995c11c14bccdb9a3b1c273dd9d639656bb672bbfdc2c

      SHA512

      ec407bd5af65d9a0f8714f2084e16015d9c1877f5374e92017e3850a18a0525f67867136c9b4b960919eac3a80287c8a96fffa2b1bee2fe18103c3e153215530

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      203B

      MD5

      065237ee1665d9977435b48e2eda79ea

      SHA1

      bb66c8b30963fd231bff2d250823af62dcca9c0d

      SHA256

      dd4069f2a5ae6dfbd8a7b70d1d2b6888312cf9cdea4c3f16f90a978d8ac09e3e

      SHA512

      37d2137773d0d3034321ff0b650da8dab4540b3b7c5fe239af079f36193d301b6ff467c7b89c8a76591d07a626bbbca1332e6f6a41b387b41fa3b32e06029c82

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      171B

      MD5

      bef69e59463e688ab0bde86ca2c38c2f

      SHA1

      47ff4f2798e0efc0606adf0393a0ed6a5e27868e

      SHA256

      69015fc3220d5a5f61ba08628e89afc38c459191ea670e2a6c091785ef259db1

      SHA512

      413f75a8930516c9c1bfa22f71c8f9f2590fe91a2d20301a4f02651101a033a9062292269f915b711ca7a1b6d34c8760be273cb398c1fe035073d90b2547af63

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

      Filesize

      3.0MB

      MD5

      42ee3e6541e9332330251d0d5c66de61

      SHA1

      03e7d7abbd46383355fb17f459140bf2eef26a73

      SHA256

      bb752af6c86da9edfe2db2b5acf13f930ed2e4d52fd2e107046ebcde51c84ad6

      SHA512

      c2c0ceef682e1f90dae28127587ff8e470a554c5c4b25a5d2748e5df4df6fe4cf4eab4c002d1b11db949a230ac0e6a27e7469e5fff0b209bca5e25ca0cb1e4f1