Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
Resource
win10v2004-20241007-en
General
-
Target
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
-
Size
2.6MB
-
MD5
5d793986e055bf27b3397a43b07db2e0
-
SHA1
2bdeb33c4dbb5bd946919ff763caf2a6565cb520
-
SHA256
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12
-
SHA512
ff8cce86d8f6db3885257ca4049570bbf01109a2eea7a8c7c6b27dc98949093c3787b3f0ef2e57050bcc350b1ee26267ba3fe88aa1011c101d0ac7f5b2ba3e74
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpwbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe -
Executes dropped EXE 2 IoCs
pid Process 1060 sysaopti.exe 2548 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQL\\devdobec.exe" 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEY\\bodxec.exe" 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe 1060 sysaopti.exe 2548 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1060 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 31 PID 2356 wrote to memory of 1060 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 31 PID 2356 wrote to memory of 1060 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 31 PID 2356 wrote to memory of 1060 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 31 PID 2356 wrote to memory of 2548 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 32 PID 2356 wrote to memory of 2548 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 32 PID 2356 wrote to memory of 2548 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 32 PID 2356 wrote to memory of 2548 2356 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe"C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1060
-
-
C:\UserDotQL\devdobec.exeC:\UserDotQL\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5772cefcdfeffb915c8fb04a6f785fb37
SHA1555b079112ea09be88f442dd0c92db7d9b358a5c
SHA256267dda70cc62a96a897b3e8b3d0fa249bdc95a866d89e279468b472398a6c904
SHA512beec194384eeb5be09a7a59c398081567162345c5734a82093ad8c80dbd138d2aae2770cb33a8ede0c8acacbd44d53ecdfcbc73680f2e41d637e31feff1af4fa
-
Filesize
2.6MB
MD500664a79741ff63fcb676b413d2b1ae3
SHA1eb425d49bed86534fdeb446117b2a3288dcbe4c2
SHA256605b61f3c98cc3f210194ae8fd839ff614a25b71a0a7792dc3ae9294bd597e12
SHA5128dccf34e3c80cf87d2434f48cd994a50bf1dc01381926507105ee45b78a43c2136d59b5eb33d65cf7ec05faf20b7fe8a9c2f39cee714aa9a3112057ed64d5ca5
-
Filesize
2.6MB
MD5dfa06a7019b3a5272c70208dbe9d368c
SHA1041e00bf018d8e40423f35782b77cef1e09d7e16
SHA256b00f0db3504917fccec31ed8033d46e7c3d3bc73edf7e59547e2b4f52ec0da8c
SHA512ec35a941e3b6f65ee52c12f99ec30c05bdeec2fa69388ff02573cd402f84c4716712df6adc474fc67e8fa851f042b8747c06c78d458e893bca871a0ee844aab7
-
Filesize
171B
MD5148736d6bedb945b9dea407558a831bf
SHA1c3fde95a2cd68bb3770433c9f04659703ca823e5
SHA256a017a2e4fe636ebb5f4a53e0ec5213e54e6d0d26e0b2c0a273595786892ba37e
SHA5120ac3c8410aa66b6c5ae8f32dc16d205bc9c3dc3ac1c935aa4d8acafbe9b3ebd96212bd75272a1ac5e68848b90b817153d64d07378afb0a474e7a87f2a3cfe62a
-
Filesize
203B
MD575896cbd8a9329f9a23683fad157c1db
SHA1e84bc72a5f5c941adb6dd64989fc3d3ec4127c22
SHA2565316a514d2e1a65b7373ec47a60984e733261a20515b98b0c2a39cbb97afcea4
SHA51208c4714411c1c95116d953aa9bc78ed623edf743d6b18f9ef577d47bd0da4f292e773a61760a17b5743aa0e0097b620692b6c2c32e4b240cf0eb9973fdd4e2cb
-
Filesize
2.6MB
MD59335f3ecb07534911e9331aa23d6532c
SHA164a73a5a527184f91019779c187a507975cecea6
SHA25680e156367805fbb35499f333d37244fd002e08c38ea6e4ea06754a02dc18778d
SHA512657260a4023c23fa7a4a9e851e3e19975aba3dcfe85d78846a88f187211f4c80661104b70ba28f53352f580916d6a3585b519877bd3ab68dc2c02dec12f12450