Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 23:25

General

  • Target

    dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe

  • Size

    970KB

  • MD5

    317c6ab25574d7f469a47590c8d5eb40

  • SHA1

    ff4c7e89fc8e4e91921e68d0e26ce64d8e0984ad

  • SHA256

    dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cce

  • SHA512

    26d0bf9aee001cd20c7342fb1dd1ca8487e64767cae83d82a0847710f8818adb902d13d07dead1e2202c2d76ad96d524bc30813aadbe12403cb19ad92c966481

  • SSDEEP

    24576:RV5fin1sAT4v8U0bue7mRl7muSHDpjKJRl1BwF81Ws:DZ6ue7gNHSjpjK3LBd

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe
    "C:\Users\Admin\AppData\Local\Temp\dc559cbd7bd75982c3b5664470d44475156a2fabaa02a3c61d8a946380379cceN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2896
    • C:\FilesWS\devbodec.exe
      "C:\FilesWS\devbodec.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZFS\dobdevsys.exe

    Filesize

    970KB

    MD5

    722fee1ef62a64fe498e02757a27b895

    SHA1

    cd686d1e5359616ccd826929bdf02244bd7b3c01

    SHA256

    fedfcb82db9762ffacd653fef3faf3c7ce91f3157f77c76eaf19ca23113ec229

    SHA512

    2cfff52165f9be13b30afd7f08f5f543bcb9a93dc58ccb7090e904a2e84b404fac69aa4978ee21a08956009ed4276f1c430ac291c97b4040d094cd9f8d07281c

  • C:\LabZFS\dobdevsys.exe

    Filesize

    970KB

    MD5

    059b354b53ca3d1c8912cce74f5118ad

    SHA1

    78c675246de747e217081af1e0d2b845d00a2ae5

    SHA256

    f64475794c4b128a2a2f38d153dd3948bdc5ea6e55dc6b0fa22c019eb4bdb786

    SHA512

    9613d0af954aca3f1d3a8fb8cbff9a310d2c975e1e1dd56d661206f704bbc64d2a82b326858e9f91e1ce45fc19443ffb6a7be32832a4841f6437fbdddbd4d160

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    8f1486f7ff11cbccd0a014d837e6abdf

    SHA1

    a16982e4b5f6dd6c8b83ed8874d634795c73a9a7

    SHA256

    1476695505ea8b18d39bf9d9528e166c3a08c03402ff4978c390cdeebd441c57

    SHA512

    2c16ad74b4dec2a6a015eef37302ec6a59262f2a05ac8e4414f59edef0efd26792941e36ce5ef9e35b60de40e0467434386f16cfb37fb6d267911124a4f91aeb

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    36cdf98bcbf12892be28869e152f63cd

    SHA1

    4300cc8271991fa96dac5a2803faefb2356ecc80

    SHA256

    02c7e83e17ab38a48c381bbc63872c2513b88cf1e83896eebd9be17184aa5129

    SHA512

    64bcbe46d08ee81e41c0372473a2df6f1c661ef869a02e1fb36921374f5e565cea08d6c09f655794bd345d6620c844c50d9fe56b2984c0ff97615376a9847c0c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    233B

    MD5

    0140f614018c1feb65549d3118afeca0

    SHA1

    cc4c47df4f4065f0fe1226c7f2233801730965a5

    SHA256

    7eef94cc6f006b810cf6504edffe2b8b195d916f9efde98daa5881dc6b6c3941

    SHA512

    e7019812cc5580f7a925e0dff482e4c5867c9bcba8993171145e60e42a92627223e003614b794433d0ee68a12e1781818cc76294a167c104b6415361addd2d8c

  • C:\Users\Admin\email.dan

    Filesize

    46KB

    MD5

    42e85f2562782d8e1a168c006dd93e38

    SHA1

    f25e50544590366e8dbd0830102873d5cc8b53b4

    SHA256

    e2eac24e16659f24019a1af1ad52476d7c60ae3e081ec53704aac6e0c6031059

    SHA512

    81d7467d1b675f160e0406da36efabb747329a71c4e4228bcbd816def2f452240436509125eb654ddde7e37b4d894393218cf7aa7607fa5313d4c7f0fa3add5e

  • \FilesWS\devbodec.exe

    Filesize

    970KB

    MD5

    3d3b3e47ce142fc43ae03ff3a302b762

    SHA1

    b30ac878f0e4338144ee494a771f83d6d58aafbf

    SHA256

    2f533cfdb69f04f1383f6ef3b4438009ae53af047e5e7f5b6dd3eaf810d18c94

    SHA512

    2e04902a57cf6aa9b82a5413bde81c900c00846e308397c213c8b24812f395075be40bca532ad86de2aa1c3a0e0d4802054f0200011c4630d374b6d622c63f73

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    970KB

    MD5

    121413f3db4f9c5df5e3b90f8544dada

    SHA1

    f8b299c9dbf8313687438cda30c46420d66b45a3

    SHA256

    c0e6b7586d5001cb98a25064aad496734adcc4ffb5e31cb5c87b21718be23f0b

    SHA512

    14b013282554f1f5fcf31688f41aa3db78c5c6ff89c15f9f9c9a83175d9be9f1c8fe43d83ef5eb1cfa7e731b8ab6ccfbb2d43784fd49f559d4caf3d4b06e7b9f