Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
Resource
win10v2004-20241007-en
General
-
Target
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
-
Size
2.6MB
-
MD5
cd24d042147b423f240b3eea6c3b1000
-
SHA1
bbd5ad7d83dad70b59a617ce1f1f3b19b26bd158
-
SHA256
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8e
-
SHA512
ef89a132e2acb36832f5457138462a5335bc593a569f47a42e1d30ed899b0c457084a5137a54b225e89ac0dc00744c138735bc4810bff289057482dbb5580fc7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bS:sxX7QnxrloE5dpUpGb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe -
Executes dropped EXE 2 IoCs
pid Process 2892 sysdevbod.exe 2872 xdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKU\\xdobec.exe" 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidWO\\dobxloc.exe" 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe 2892 sysdevbod.exe 2872 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2892 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 30 PID 2244 wrote to memory of 2892 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 30 PID 2244 wrote to memory of 2892 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 30 PID 2244 wrote to memory of 2892 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 30 PID 2244 wrote to memory of 2872 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 31 PID 2244 wrote to memory of 2872 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 31 PID 2244 wrote to memory of 2872 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 31 PID 2244 wrote to memory of 2872 2244 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe"C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\SysDrvKU\xdobec.exeC:\SysDrvKU\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f354c90d13c5771116e6eae9b6773cef
SHA14ff0328237d9c70166c553733d4a745f50c0b1f9
SHA256e75092304936f5f5119797bc488584271fec55c0013cdeb843c4ab8011ae509b
SHA512c7a01ab96e7bcb741012fc0dc4bb95306697b5811e9f1eaf608dd0b4dd524a88b0e32ce0daeef255d19bbd5496f651c9afd3ea1d17d870a1e1c8b29dd065ca74
-
Filesize
169B
MD5444b53393ec484f9299586380adaf341
SHA17b9cdb33449bb0bf4386d1f4c3e6ef2bafe43629
SHA2564b07dd48024a08d91d55318e0b155f265150ac47e2cd499b5affe6390d1553b2
SHA5126addd054a24f7f65221e6190d90e74dd078be7ca3044a1b63045c4d524667426d8e7d75128d8a629ec54cd0fde19f2ff65affdd0f925d1f4539851b1c1370247
-
Filesize
201B
MD5626ec70894a0e08b876498e18d0007d7
SHA1316a8346f536033bbd125b076ed2135a08ba7e51
SHA256c4bab531472123ba89f5433200ec26e427c9b16e575ff99416134f642c4ecfe9
SHA5120566bb2ebc63fbe53f8e2c625e1c5731e2a008b337ac2a04a0b3f3b1e6653b7bd9948494e9d061e779918e7f02670fc07db29c1444d20a46539b2cb72bfa5954
-
Filesize
2.6MB
MD53f2c76966604f5dd358a2f7ac3eb3f2d
SHA1085ae1be6b3d506afa6b7628ff6161176b78969f
SHA2563a28cf788c9dfa9706cac854f086ba9313be573e97f752c2421fbba8f30a865a
SHA5120b5fda44de88e7740c9cf80dce017bfefa6712a04f966329151079fc31688f8d505f96038a4343b4d7307c5cf44eefbfe8c496d0ca951d37d370d940c459030d
-
Filesize
2.6MB
MD55bece01e4d4e4cf1e5776fa34be2b9b0
SHA137a8ecb925a42eaec6a36d8cc9238047748e8a6f
SHA256742ecd60d83c105e7799cd8a85eeb91c7384a746892cb792c138d62570d46df8
SHA512442831384a66f81639e8c7646c76a6988b7e0e5eea1074c20e2e32fc5a47cff9e6b402bcc712d0bf14eaa2441acdb26bfd18cf5b9f2376fb4427b5156ccc2c9a
-
Filesize
2.6MB
MD5b060d3ac8740cacac528b60fafc8d9ef
SHA1b8193628fc99bf6e703a65c2ab7c59b8322c7b66
SHA256bde89ce0447790a6f413a144b5c910445c840be0fde9dd2ab00aa4289b9cd4f8
SHA5120bf4c934a1bb5aec72b2f9535742c9556cbe5f4ecbc4555db634b96b236a03c6a5d08ae142d97ce45be5795164b744648fae21b26bef1f388b805f6a8b266929