Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
Resource
win10v2004-20241007-en
General
-
Target
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
-
Size
2.6MB
-
MD5
d86b96177072ea29abf7b9a1e2262ac0
-
SHA1
6f6bb2c8e29626d911b176b1fb4e85892a1a649a
-
SHA256
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144
-
SHA512
4e7b946f7a43aaa0a339158b60a018d56c90e43f2e4e38011614d9414140bbba040afa4b144f063818e44dbb7783d4c0d15b19043acc7d4dcefa3c28be8b603d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe -
Executes dropped EXE 2 IoCs
pid Process 4560 sysxbod.exe 3852 devbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOD\\devbodloc.exe" 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQP\\dobxloc.exe" 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe 4560 sysxbod.exe 4560 sysxbod.exe 3852 devbodloc.exe 3852 devbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2596 wrote to memory of 4560 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 88 PID 2596 wrote to memory of 4560 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 88 PID 2596 wrote to memory of 4560 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 88 PID 2596 wrote to memory of 3852 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 91 PID 2596 wrote to memory of 3852 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 91 PID 2596 wrote to memory of 3852 2596 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe"C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
C:\SysDrvOD\devbodloc.exeC:\SysDrvOD\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD551387bf65f6ab52367768502a2735d4f
SHA1adcba95f62ed11a127237a38267dbea37b262242
SHA25695db967c76a97f220ac69083da8205dc232cb635dad141b4ce7b59ba2778182e
SHA51262a1c5440a88ccdf2a2a912e0f4b677e0b1955ff22222c62664b5a0e8a9fd5c8061bdd404a9e2058552da4a379d8195ff64f4c9a39b1c38daaaf8612096b6297
-
Filesize
2.6MB
MD524dc13826c530ac0888279383f79b0c1
SHA161ff8bca4a6d4377909f834d6c08794b2cd97714
SHA256deaffb93caa56c5cbc8a25db30ca4f25c2b9210ebb3d4f9a5a5a8d10c8a0b8c2
SHA5121d55b571fcf3164e649ce39c94e454b4c86b730200c2eaa833e9c4cf408e109d7663dddfc59d522a0b367ae9534a74b0f0f6bf1a49c03605c338c99cfa0f7f43
-
Filesize
2.6MB
MD520308f981abfb0240a5e3bfb669a9f9f
SHA17201f6e2309e7810fdb7c21ea645c61b25a48dbc
SHA2566541d343db7f4aae2c82fad180636049ae91db631a5eb89e9467ab68abc5c509
SHA51245403482a0e7ee6b3343caa00204a78951d67dc73c9b26e695ceb1930432d90e6ca9a9a516fcdd8098a799f26d9c3c0947d666459f7ea75b1d5846f9c7d77f8c
-
Filesize
203B
MD57a2334baff1868589c96153d688e0be2
SHA1cb8e97cf1f85af906bda9ec0bb191310b2e9831a
SHA2565d89eb9289c37126b762141419094fba4e0fb3f81a4119deb0ecea02851d9d40
SHA512299cf6949aa376a8eac9b416d994471452adfb22e05221e6ec82d0bdf0e111a22972b701228c2cbc4aeb6292b31b57b7fc3c4900d86a60b55f40aab5c94bc7be
-
Filesize
171B
MD5cfc7c59211d600233ced407dc5c6cd0e
SHA1d50b0660d9ce00a29cd99c2f6521661c6ba753f8
SHA256e2e343e40e621fd850c052ed5fa2d51287ec6f290e59cc3bedf0fcf340b07c98
SHA5125aef83c1c9ec77c0505321f6947f08abffc319b5afd4c562179780fdcac9e9449a1850a6531b7b2b272af2a516943a0d81c334fa7d628835c1598824e033d1d7
-
Filesize
2.6MB
MD5ba8988d43e73030e8e207ae54f4ebf1f
SHA185a49edb87c702245d24ba31aa9c684401aca628
SHA25648e791e7bfb78b8d65aeef7389adaa5d8d89d4ad42f1bcf70c16c2953700ff4c
SHA5124601eae783a6b2d9ed7ecb4db58f885615185449fb71b8ed16d7ddb09f862ed6e8f8941a724eae71562eaafac6b7dd7316c32d62e6f36dc849d6298d37c45a2e