Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:30

General

  • Target

    be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe

  • Size

    2.6MB

  • MD5

    accf34785eae1f5727b18983b01c38b0

  • SHA1

    462a1bb16c7eb99319f254eb1df1e852b2ebfeb5

  • SHA256

    be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7

  • SHA512

    072ea1f8d38c649328231e4310b1bcaf70734ae58033121d9acc751a774777926acc22e50cdae20eb48463f347669cd96649f691fedb001cbfef6bec971b7da8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpUb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
    "C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4720
    • C:\FilesPU\devbodec.exe
      C:\FilesPU\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4472

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesPU\devbodec.exe

          Filesize

          2.6MB

          MD5

          3d94f62268a4fb4599c209fd92db0edf

          SHA1

          27daf0fee8c2894c0fe18183daadee1d0d67a69c

          SHA256

          a28823d61fe1dd956c6951cbc7f48efc8fa4e451faeaed63fd5e84406ba64037

          SHA512

          4f4da5402dae433df2cf52c97dc70c50a22e46ab1fb61e5dd68e83e84e6c3c68b5a3ad344a0ee01a2b8429d1a0ee2fc962a2ca5a34a1119c9ae84c68b8d60220

        • C:\KaVBOV\boddevloc.exe

          Filesize

          2.1MB

          MD5

          9bd2406ab96ed5ca3def3ebd19752e5c

          SHA1

          0ccb6881bbb2fac66001daea80145e386f5d947e

          SHA256

          80fa5d7ae449772f335e8f7446e4508069c8fda62e1aff8c81843d7583d865a6

          SHA512

          3ef9f370cc9cfe46a8680d9424060e335da09f65b49735155d5747f10eb16c59893fa997dc1efbf48ea32e39158c9a8c49dd928f38313588e9aebe82c40130d3

        • C:\KaVBOV\boddevloc.exe

          Filesize

          2.6MB

          MD5

          2d014a35145ad0c0bf383d6c48535247

          SHA1

          f1e2615b5740c1d1922996a0887fd8944f2fa787

          SHA256

          0eeec169c7ae962f8506af90031c334e2fdfe3b328297c2c212248fdde489fde

          SHA512

          6c8682b88f59db94b9e903411240b757dee77d5fb1ed3bf86572e3f843d9843bfff391fab9b0157ce4173cc8819b1e24298e031baa575c341869454a0822c2b4

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          64958e8abb7d6beff88a72c8a4df677c

          SHA1

          8c3a19104ef691c6f60eeda8db4d2b0f0b48ea66

          SHA256

          360bad04d294ea74959a38a1fed45000aa5f90241a07141b8eaf997caf9481cc

          SHA512

          b79fd405312ddd608d72c7fe5f5bc56be89b98ed435998997b6cf27ae787e211eed8eb0a6e41bb3f85953c6b65fa6cee51281e761ba6e34aa284e4d098fd3b29

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          ce7f0d7b7ac0e820b7ec1d180f47001d

          SHA1

          ffc894dfb5824781646ca5254605389888b71e38

          SHA256

          18f687c47bc527c87d91d48b18151c5fa739577e0258a58c542a9c30612979e9

          SHA512

          e985f193b1cbfcc58ec0fb7f2c364e6f621b0dc8a8585f256a8f775a9364a2df95da1d6055ca4fa04751b1209f62b064f69eae76f4097ef3ac523348e545f3d8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

          Filesize

          2.6MB

          MD5

          7636941a2f54f527d72eb62bcaf2eed5

          SHA1

          5f5d306b20c299160b7a2e49c6932eb45b9c9761

          SHA256

          48a1fc8542aa889623cf96125cc6508228f07dc3752e45af230d1a951a9e19f3

          SHA512

          da87a63f21ccb8d1d3a75927380b07dfe8527ddb89641296d8766b002cb881e203abae8ea143fa0c42f00e2189cffc799687a915c920935febef9126a6b88da5