Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 14:04

General

  • Target

    b22d746c3f1a3d9dac251f7e782a1580N.exe

  • Size

    2.6MB

  • MD5

    b22d746c3f1a3d9dac251f7e782a1580

  • SHA1

    3f367ea3cc2edec81797d822920dd4009248c613

  • SHA256

    815fa8ccb51eb9a32a7ce6ba039fc8bf933f688ce52bf69d69bfa434c4a00e9f

  • SHA512

    cc7819cc7410db397956a3f5f6fbadafedd11f7a64ee12ac0014310fd0e80e1749de724ff3261dc7c715bd9680e198f9489a4b35b0bb27c0748113658ee8ad0f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpub

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b22d746c3f1a3d9dac251f7e782a1580N.exe
    "C:\Users\Admin\AppData\Local\Temp\b22d746c3f1a3d9dac251f7e782a1580N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1700
    • C:\FilesYE\devdobsys.exe
      C:\FilesYE\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesYE\devdobsys.exe

    Filesize

    2.6MB

    MD5

    e024aa71d5a7bcf3743aa1278ea54158

    SHA1

    568ce39602290c1c1f4df5f501bde36f12de15d4

    SHA256

    8273fac3cace5f873ace2b66356cfb40aeb7175762c378b51e364eccfa880441

    SHA512

    416373f5ac55009e2ae5f67a02e0c1540ec61f9cab1e9a254aff96c08910639e7070f052bbaf3b3fe7a3b15674bf27ede9156d2aeaa3ffe67e8d5d3219337bc7

  • C:\LabZMN\bodasys.exe

    Filesize

    486KB

    MD5

    6dc09ff8e7f4ab13a820592a5f7f04c4

    SHA1

    0e0e4028103ac0fc41254bf6fefdbb2e4df4863c

    SHA256

    4a1d1ffef3c6e03f9e16a27466bab645c482028fc3d94b3cde096af7c6aa61cc

    SHA512

    67906cf3d867acd878a968f2df427755920a48354552f787aabb4f7b27197eeee9c2e14dd83ffa30a4f55a3f0c482c1c38f4a1095d0d0529348128191228c58f

  • C:\LabZMN\bodasys.exe

    Filesize

    578KB

    MD5

    7441b8e33672eb6a5a89cad617bfd78d

    SHA1

    cbf12e66ed6c48b84ab96277421f84a199c5e223

    SHA256

    c99d80a01d527cecf5e9a01a70725bbb112f80898be59eaf6e2ff3f53c71b767

    SHA512

    f944b381faca2f453cef53663fe34587a8bbbedadb2c0f2523e09b20ce4632f745a1eecbd58fec732e3f4e4c2f4382edc7070f1d884d98db3967edb4683fedff

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    c06834c8fc59d86d0f818e3307c85d31

    SHA1

    eba95899d59eaa27f4d5f2151b5c2fbb331231b9

    SHA256

    f1913c56553a98b06ef8957dbadeb3939974da9608c3bc0b806285eb5a7a1dd2

    SHA512

    0643c31908d6f462408f8c0318525d3f90b2960cb676017420b8a47c5018760c6ebc50f3a8e071005ca079f2ed22f9c54ee82338b74c74869563692ed3d27759

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    6319b43cae45e977557fa842b33c27ba

    SHA1

    377e2b00fc629584ee3fa896e6dd7c37c5bd469e

    SHA256

    3e445a6d1f5e571dd12128245339b833d339a8790bc6ffeeb7e8626b3d5435bc

    SHA512

    a2d8909c3df45c2235d7c4386aa8e9658bce0bcd4861e4bdc7805272c81642edea58a901e858061b80b2b9021d03a640f4f7df9c028cb52bdf120e207a114a4f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    2.6MB

    MD5

    e4d3a4ff7e228d79e05767933a5563b7

    SHA1

    91cf313bf455e64345d05b770f67444349172f1e

    SHA256

    1e667b673e7b9e75c08e460676896895e26c58d9e16c4906bf3b61b10a8ac11c

    SHA512

    9cf7fe2a3d9250a9b46018b8304eb5e5f72306448ef7085a997df28e7c97c9d942724489f3ff1d5157f0a49d2e2f66211bf934932f131b416ebc846d6371038c