Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:49
Static task
static1
Behavioral task
behavioral1
Sample
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
Resource
win10v2004-20241007-en
General
-
Target
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
-
Size
2.6MB
-
MD5
9feeca57632898e3da8059d8a4bc2340
-
SHA1
5d4c5b58eb8b2e0b23edcbd7fdb5e770d01b4d3f
-
SHA256
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287
-
SHA512
bead80473821d2964cb9f4b64f6c4c7736b7520cdd5ce44bd619d68738ed21d6843c043e8bd545b73ec9acc8426c13ae8c17e2448648d7381166e972ae2aa8e5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUp+b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe -
Executes dropped EXE 2 IoCs
pid Process 2912 sysdevdob.exe 2448 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPC\\abodec.exe" 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAR\\optiaec.exe" 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe 2912 sysdevdob.exe 2448 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1276 wrote to memory of 2912 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 31 PID 1276 wrote to memory of 2912 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 31 PID 1276 wrote to memory of 2912 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 31 PID 1276 wrote to memory of 2912 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 31 PID 1276 wrote to memory of 2448 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 32 PID 1276 wrote to memory of 2448 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 32 PID 1276 wrote to memory of 2448 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 32 PID 1276 wrote to memory of 2448 1276 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe"C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
-
C:\SysDrvPC\abodec.exeC:\SysDrvPC\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5192b751a0d7753e6e15f764f6cd9ff9a
SHA10eb5e6928ee1c190279f10a2f00dc31cb8a40dc3
SHA2569926f46aa9316c4a6ec2d22be5ef0b4f28ba42b5867f8bdfb682a8d1131a5296
SHA512163baca775305cf722c1a37babe081d0115fa82e083f83b2f4881aa2c28b5ab69172e8c8e42caec6ea94303db2226120266798b8058b87b821acde68452545be
-
Filesize
2.6MB
MD56bd2c663ed8807c4a06d9d525a0505e6
SHA1daed1e919dc741805951ccfa50e0012e69f8efef
SHA256e4ca5c6ba4171f193febad64c1425c581e4b4812c71a2f71df75febe53c800d1
SHA5123edec5c463be6fb40b52866933a66d743cba15b521f584bfb2191a60a899840e3172fb2d458360945404453fe03540697861b518580ac25120381b315ad72a83
-
Filesize
2.6MB
MD567d2027f8824b7369d01ed99a320f7c2
SHA12254852735be28c83c4558e73b4ddbf33f2ee240
SHA256e2817ec6e047a7407e5a92947e1765c81b481c61f7e1349492616dfe4a387125
SHA512461784eddb6cb4c22b06a8e33b6681059818c1df43d7bc35214c16ebc6d9290f5994d25251481e75084e2db190544bfc21422affd2b61a28eccce4c724df8841
-
Filesize
170B
MD58ec0023952d03d5154e5a19790f640dc
SHA18bbb572cb647c92a2b98a90972713ba315d4377b
SHA256caa16f9d3175e45b6081e2f2e819a365cf01738eeb67b8865d58e16df9a2cc97
SHA5121d95295863089aa85469498aca46eaef2190c9d6fcc96269cbc00fd44cf8523323f895d0aa41551664533348dbcf4ec448b62b282a1658a92b2e21f47ceeb50c
-
Filesize
202B
MD524149af154da5fcdf391c93ce3337c57
SHA1f383b70bd730c747dc1a091dc5179b5dcadce083
SHA2561aefd425d284d642d4b1eb4b26908dec77e5b9a53be05895265d25a908d92970
SHA51263b8475ede8672f0945e03c618e63b8ddd7e5e5084a35805c98a0dce0ed75464c781ad8c2769654ee5492c9b5b6bfe9bfe405042ea81f8278e55ade95e38d341
-
Filesize
2.6MB
MD5ea93623332821ab1ff104b59324bc94c
SHA1a0d6f2498fbef65967f2e3245405cd7387dee7d6
SHA256349663df222b5634b17db98aa0dd0fab7d9762387df4edfe2ce08fd2919e3fb7
SHA5120c3daf332bd8695ff7cbff8e33db8d22ed0113b898cb988d3bfb7490bd8021b2a316d7caa42677fb73c013fe407d6686f97df87542d34417fa756603e444deb6