Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:01

General

  • Target

    06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe

  • Size

    2.6MB

  • MD5

    5d793986e055bf27b3397a43b07db2e0

  • SHA1

    2bdeb33c4dbb5bd946919ff763caf2a6565cb520

  • SHA256

    06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12

  • SHA512

    ff8cce86d8f6db3885257ca4049570bbf01109a2eea7a8c7c6b27dc98949093c3787b3f0ef2e57050bcc350b1ee26267ba3fe88aa1011c101d0ac7f5b2ba3e74

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpwbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
    "C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1060
    • C:\UserDotQL\devdobec.exe
      C:\UserDotQL\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2548

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBEY\bodxec.exe

          Filesize

          2.6MB

          MD5

          772cefcdfeffb915c8fb04a6f785fb37

          SHA1

          555b079112ea09be88f442dd0c92db7d9b358a5c

          SHA256

          267dda70cc62a96a897b3e8b3d0fa249bdc95a866d89e279468b472398a6c904

          SHA512

          beec194384eeb5be09a7a59c398081567162345c5734a82093ad8c80dbd138d2aae2770cb33a8ede0c8acacbd44d53ecdfcbc73680f2e41d637e31feff1af4fa

        • C:\KaVBEY\bodxec.exe

          Filesize

          2.6MB

          MD5

          00664a79741ff63fcb676b413d2b1ae3

          SHA1

          eb425d49bed86534fdeb446117b2a3288dcbe4c2

          SHA256

          605b61f3c98cc3f210194ae8fd839ff614a25b71a0a7792dc3ae9294bd597e12

          SHA512

          8dccf34e3c80cf87d2434f48cd994a50bf1dc01381926507105ee45b78a43c2136d59b5eb33d65cf7ec05faf20b7fe8a9c2f39cee714aa9a3112057ed64d5ca5

        • C:\UserDotQL\devdobec.exe

          Filesize

          2.6MB

          MD5

          dfa06a7019b3a5272c70208dbe9d368c

          SHA1

          041e00bf018d8e40423f35782b77cef1e09d7e16

          SHA256

          b00f0db3504917fccec31ed8033d46e7c3d3bc73edf7e59547e2b4f52ec0da8c

          SHA512

          ec35a941e3b6f65ee52c12f99ec30c05bdeec2fa69388ff02573cd402f84c4716712df6adc474fc67e8fa851f042b8747c06c78d458e893bca871a0ee844aab7

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          148736d6bedb945b9dea407558a831bf

          SHA1

          c3fde95a2cd68bb3770433c9f04659703ca823e5

          SHA256

          a017a2e4fe636ebb5f4a53e0ec5213e54e6d0d26e0b2c0a273595786892ba37e

          SHA512

          0ac3c8410aa66b6c5ae8f32dc16d205bc9c3dc3ac1c935aa4d8acafbe9b3ebd96212bd75272a1ac5e68848b90b817153d64d07378afb0a474e7a87f2a3cfe62a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          75896cbd8a9329f9a23683fad157c1db

          SHA1

          e84bc72a5f5c941adb6dd64989fc3d3ec4127c22

          SHA256

          5316a514d2e1a65b7373ec47a60984e733261a20515b98b0c2a39cbb97afcea4

          SHA512

          08c4714411c1c95116d953aa9bc78ed623edf743d6b18f9ef577d47bd0da4f292e773a61760a17b5743aa0e0097b620692b6c2c32e4b240cf0eb9973fdd4e2cb

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          9335f3ecb07534911e9331aa23d6532c

          SHA1

          64a73a5a527184f91019779c187a507975cecea6

          SHA256

          80e156367805fbb35499f333d37244fd002e08c38ea6e4ea06754a02dc18778d

          SHA512

          657260a4023c23fa7a4a9e851e3e19975aba3dcfe85d78846a88f187211f4c80661104b70ba28f53352f580916d6a3585b519877bd3ab68dc2c02dec12f12450