Analysis
-
max time kernel
119s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:30
Static task
static1
Behavioral task
behavioral1
Sample
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
Resource
win10v2004-20241007-en
General
-
Target
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
-
Size
2.6MB
-
MD5
779680a307a34a3c91d2090dc6f89fc0
-
SHA1
64082c617087cf1f8e5b179e2cf4a3ece7ec6b2c
-
SHA256
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448
-
SHA512
ab1dd2eb9b7d479f8b89181243ef1fa401ea920df6636691d41bc100464ae989fb4ad0c8f0b975e33719ea17c881e21fa7a7aabd6e2f7a43ed6ce3e51c85ef87
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe -
Executes dropped EXE 2 IoCs
pid Process 3460 ecdevdob.exe 2656 devbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP0\\devbodsys.exe" 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTR\\bodxloc.exe" 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe 3460 ecdevdob.exe 3460 ecdevdob.exe 2656 devbodsys.exe 2656 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4640 wrote to memory of 3460 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 90 PID 4640 wrote to memory of 3460 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 90 PID 4640 wrote to memory of 3460 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 90 PID 4640 wrote to memory of 2656 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 91 PID 4640 wrote to memory of 2656 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 91 PID 4640 wrote to memory of 2656 4640 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe"C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3460
-
-
C:\FilesP0\devbodsys.exeC:\FilesP0\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD5b30af74c34a007928f25b3c482d6aeba
SHA1111abb46b79b44819e95067b1b91c24e37f73cb4
SHA2561071a2c72c386796b985c82ce94e08aca150bdd2b9c75c6e6b13e0d9494003ea
SHA5124665dd8cede04b8f67c2e8dcb48ec38fe8c556c5692ffb92ebcbc656f7b1880947d4bd439a0c5906b3c93f0d0c18b3b39c79470d1f510dd5c5fa41152e445041
-
Filesize
2.6MB
MD545729fefe85d6941a3f8639fa40ed6ce
SHA1ef3bde99214f2da29dd6ebdbf98517bd6ba35b32
SHA2561f3a75fbfbc2dce916cd50a5ab379f3f41b56b3ab68b03b22cf324f93e79b6c5
SHA512e496d8bded7959a1ef9657862910dc78b000e9d181bb95e7725797cc6b01a0e0d4a913073ba3a465f6d70fca08fceedba84374d19fc10857e7844efa6456f185
-
Filesize
1.0MB
MD5759aec5f038416e01893d90cfe048577
SHA1ca4fb61ce8b05248741f436c357e8f398a765384
SHA25680dce40506c7a13c6a3e02c2a65f17f09350181f3893361a9acd8c0e860958b4
SHA5123bd433964bc697503ad75d279a10efc318bf6ff53d0c6959885b936b4c24a8e1d47045ce3bfde5e3627b8fb1bf79ab50d8ec9bd00fb50508356168a55a0f93a1
-
Filesize
118KB
MD549af68b42b3107ac792422c10fe0b74f
SHA15fc398ad18774ec4495f063f018f4db58862dbe8
SHA25683a7f31b8578e7a00a994f3dbe8e71747a382cf0e351c7d7fa0610dded8976c4
SHA51289a91aafb5af39699748f6b84a6bc5db955d5f5d4474447893b829c9fed9377a791c01483bbd890bff4c7e24d20a7a372137094dd20fe9de5c9057a61f4a37dc
-
Filesize
204B
MD5590bbc03bea59ca5eec167e87d81ec63
SHA1286454970195b190514d3c52badfafb4be07a082
SHA2565eb17119a80045c2d9d07fec509c4e31d30d5a7513aced8b51032551d6ed3822
SHA5125153bea746079bd40547ae9c72e3de9f0f772321f2851259edbace6a3b178ed09e7c598b4cd31ea25450843656eb044423e96e30980927693ee13d5db20a419c
-
Filesize
172B
MD56a64c9ba46a6f32dc6b2aeca90b309cb
SHA1432e0de09b22ac58f64943e0160910909380f96e
SHA256c546265db78c4cc30e0e2dc8352823d715cc121b70b501ad100729030e61d7b7
SHA5121246202a58cc63ef5bcfaa9ad7e67556e5e23a68e3eaac0ff95077d5ceef62fc2f1e562ad340e9574027db6507820e88e096160cb11860d3ddac4903f0b4deda
-
Filesize
2.6MB
MD5075103a38e58ccda2b4213017c671dfb
SHA19c2177b52c0e15a5cf7c7a7db79e250542ce09b1
SHA2568d78c8edf9c5423256ba484849772a920422236052237b4d1b230f35c8fe8607
SHA5123aa12d7a5031604ab5a094d0ce066e94ba30d1d60ee68834799a0c9c1eb741b379fb5ac3fb7b8221e1faf0ae6ddb3e4ead1d43b39d50d0e858fe5a88ef7b5df7