Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
1454ad825bd6c8f015b5b9aca1632310N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1454ad825bd6c8f015b5b9aca1632310N.exe
Resource
win10v2004-20240802-en
General
-
Target
1454ad825bd6c8f015b5b9aca1632310N.exe
-
Size
2.6MB
-
MD5
1454ad825bd6c8f015b5b9aca1632310
-
SHA1
73715608800c2b1373ef1f4b3be103cfbc91b474
-
SHA256
2491109e62f7dde2f006c7bf60827198115c20d6ffccd51a3a1e23d673fba259
-
SHA512
ded941641fd3bced14ee6bf52a1a91da1803c3383c15841e8d88b1214043197051fc9f4101102bedca33dc8672c602325a0b2f89386d63fe4904b737d1e49a06
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpsb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 1454ad825bd6c8f015b5b9aca1632310N.exe -
Executes dropped EXE 2 IoCs
pid Process 1248 sysdevbod.exe 2028 xbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 1908 1454ad825bd6c8f015b5b9aca1632310N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeK5\\xbodec.exe" 1454ad825bd6c8f015b5b9aca1632310N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGP\\optixloc.exe" 1454ad825bd6c8f015b5b9aca1632310N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1454ad825bd6c8f015b5b9aca1632310N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe 1248 sysdevbod.exe 2028 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1248 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 31 PID 1908 wrote to memory of 1248 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 31 PID 1908 wrote to memory of 1248 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 31 PID 1908 wrote to memory of 1248 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 31 PID 1908 wrote to memory of 2028 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 32 PID 1908 wrote to memory of 2028 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 32 PID 1908 wrote to memory of 2028 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 32 PID 1908 wrote to memory of 2028 1908 1454ad825bd6c8f015b5b9aca1632310N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe"C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1248
-
-
C:\AdobeK5\xbodec.exeC:\AdobeK5\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD590807cc3f1e3812d65582698070d402c
SHA18c0d40fb7be6b3f1e6fcf86790dfbe81b1589e93
SHA2566d3259726eb8f7612c2a890e434e67fb0dc273df17b838a89e76dad9e4daa669
SHA512ed5aafa397e58aa61ab3019a88e881f04ed0a001afb62c24147ea26db6d58236075e5b7d4f3d26ea45ada57911196c57aff414c39112eae7017c35c0d89508be
-
Filesize
2.6MB
MD592f96d5b50b62028f18cf2abed2f1e4e
SHA1d4bef2528af92d689ab28fe680429a4b6e326fc4
SHA256958c9b2685fd1654483c5de2c8fff280b1cea1cf7bea50110fb1eea851daf730
SHA512788b0a541fc61385ea0e01f48686f830c35a35999e38ed7c26eb763dbc39a66a42f8bf83a2fc7a15e49e3d821c2100055dcc0f7c40f2a25b7a859d704a6a9a64
-
Filesize
2.6MB
MD57da8e49d1fb7ee1b6a31c24015e923d6
SHA17f9746254f1e8c1dd73d3a38ab3be30a37ebacfb
SHA256feff384c8f820e384aaf09d667187cc6365b20e8dbea4af979ce7d1b71786554
SHA512c96fd2405cbb49e40ef0574ad51630e68ec961395ad6424e3a24579032fbaa57d89e3530740e9a8bd3d99552fafbab37fe2359ca15fb164ec00a0d37b435eef6
-
Filesize
170B
MD56bc2b33255344b6c3f502604d99d9f5f
SHA1c6c38d0a602d8e88ae5ac25b5df72811adf89b3d
SHA256dfa7cbbdce3d5c71892903b21abda51480e1b6aec9f57a66667ebef0abdbcb8f
SHA512f546e05a14d0228688dd0fe61b89920c6c959ce519f077a23e05195c4dc40cb2f24fcb344fd72a0aba73615d5f5dbfe1424e02b45d3a6b0a3d74d563337f5cef
-
Filesize
202B
MD58bc88ed5038d432dd5ca3e06f5da05d1
SHA1c819865601fc1159ecda7aa0479c1d8d1c6f5138
SHA256696ad8d69d994ee71a5fbf24282a101ab0e446df0dfeff6852d5a51ca1a35401
SHA5125d61b3e840193b7c021a7a2bedc0e4ab4f4eae0e5165f99b49f805a35e6a949c96f40fb21ab5b41394ba11b5082f249aa90857c3d8d725b1291ecac3188f8f81
-
Filesize
2.6MB
MD598c4c820bd3baca28721588ac2a5901a
SHA1ab7ebcbca72e7dbb96e2cf1620d8d3485b813cbe
SHA25630b4d528a66b1950dfd9fdeaa2ca31bb9efd932b409900a326b784c34f6d2202
SHA51221e225558b2aebbd1a7af551d76431ff5ded919cf77397fe6801d819bdcbb89d36b91d0ad5110da49bc5a5994fd2c73a38982090b14e4b758c6c201afad9655b