Analysis
-
max time kernel
119s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
Resource
win10v2004-20241007-en
General
-
Target
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
-
Size
2.6MB
-
MD5
5ea12786e77fd6800b9cfd6c9aa64cd0
-
SHA1
52e706cc2bf6df78b29079d3e45cf68cbe0d49ce
-
SHA256
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2
-
SHA512
f19204e3fdfcbe6af4d455df247bc8a260f4d934a5e98c2e33214b8b728757888e982e79920cdca640934981b1a113339bd99db2c26396640535ceba9edb0c9f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpOb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe -
Executes dropped EXE 2 IoCs
pid Process 4088 sysdevopti.exe 2272 xdobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAQ\\xdobec.exe" d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMP\\boddevloc.exe" d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe 4088 sysdevopti.exe 4088 sysdevopti.exe 2272 xdobec.exe 2272 xdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4464 wrote to memory of 4088 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 88 PID 4464 wrote to memory of 4088 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 88 PID 4464 wrote to memory of 4088 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 88 PID 4464 wrote to memory of 2272 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 91 PID 4464 wrote to memory of 2272 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 91 PID 4464 wrote to memory of 2272 4464 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe"C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4088
-
-
C:\SysDrvAQ\xdobec.exeC:\SysDrvAQ\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD506385875dd55022a41a5eadec8557162
SHA11813249d23aea943a7f5c4785f850c87026dc382
SHA25657fcea517e5106ef77f2c5eb86262491451de635f3d621ce9d7715605c97d386
SHA512e4b3748a99525b2600c4f58f67ad87850e26c5d324f202efbebf6e83518177e637603cbee1db22f62acc250c77cc0efd4514b56065381cadb0527f5f01992a97
-
Filesize
64KB
MD51fe0d14acbae1f4503fe3c851d715a39
SHA16e9ecb695f2b07b82aa67f8a0c7c244f7baada13
SHA25661af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574
SHA5125bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583
-
Filesize
2.6MB
MD517dca6728c3750be0e8e5cc3c45d7d4d
SHA145ffb2ae2d9e6f96852e2b748863c52c820a8470
SHA256c422701479bdff3fba63eddf3aabc99f264e16ce9d6ac203fc5d35c51f161f11
SHA5121faceb8676902e3d676d53f32b3bcc66044748bdb87bcfdeadaed105fecc55647a36a741f8fc7ad125b6678c631f43113820d06c09ddca05c381d08048bfcaa1
-
Filesize
206B
MD5bf313a83fe5eb48656a2133d0a82701f
SHA138583ccda122d5a789bf363e6c889b265c15f2cd
SHA25677226b12346b836edfb08e0d4ce60aa8bfa179d7da4f679f5e51bf3ba8c960fa
SHA51287a2fada08b9d8c72d610fadf859d810d0d3a7e2326d12023ea75f96d429c8a6647c4dd85fac2e137647ef8647a340a057f042988a53e7fba7d49e4152430648
-
Filesize
174B
MD55ab8bbecc4ddcded6c544082b4fbbc19
SHA1eda27d640020ba79cc9e67461f08ca931cf91ee6
SHA256406baacc05b9b4da49f0060795e6e3a0624edeb49b4f9deb7e0fd44ee888ab9a
SHA512d1b27e21d01c2257f9689fa820376649467b859dac01b17972887a52a0f8231a916afb0ec7fc8ecfc1ece82ccd0ce1913dace945481ab59fb7ce1bd6a22a93d1
-
Filesize
2.6MB
MD5894cfae85a0de41286d90e75b88f08a7
SHA1a52fa5354da642c6e764bfad66488224101c1179
SHA25639401a89ba147661bddb5600a8c0e177dcca832170ac643e34949f90df3e4c3a
SHA512e2dd2025c6173f4893d611738a34f52b7351c19c7c1ad6c489d77f618d2ccd44505c73d41afce1f21fa879ac2acd53eb45f3ac0060b850519101f4d2d601af73