Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 23:00

General

  • Target

    7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe

  • Size

    2.6MB

  • MD5

    fdb38d8db9bd212ceab717e00ee9ddf0

  • SHA1

    7115ab3cb67e1ffec271db2ed420e53accf2f8ff

  • SHA256

    7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7

  • SHA512

    09884ba2512c99f1d06e314c1f39f151db8b9db81654527b170273b6fcc3ad6fb3d181a44732426b241d69a1df667a166bac63a55ab3f5e810f7b8007756a712

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSq:sxX7QnxrloE5dpUpXbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe
    "C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\IntelprocW6\devbodloc.exe
      C:\IntelprocW6\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3016

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocW6\devbodloc.exe

          Filesize

          15KB

          MD5

          87e354be4aa61f8389e6604d1675efa5

          SHA1

          38bcbf38e1394145f2166766703749df80b20328

          SHA256

          794a732d2f891bfb9155ea0d8e5fadf6c486785b9bdac6abdd220ce2a8ae179c

          SHA512

          debe16cf4c6394d0deae3956bc8214763c4c74bdc89afeb8d6260485b813b797e7be5c2ee0451d765a8b95d2b39c23eb4141843e9767cecf2694d3bbc13552b5

        • C:\IntelprocW6\devbodloc.exe

          Filesize

          2.6MB

          MD5

          1932106027281a1496d62b7166c3f637

          SHA1

          5d5feb9f5288249afc6431f295b4a2d759e8b97c

          SHA256

          b7d5ae6d62b1c9a96ab132701da31d89751450b259639488e362390ac1e8e412

          SHA512

          6314635253d10a456217b4898c4513bb0018a07ce47912675b04bf6bde78fd0d7dcf47227ca3dc4110a227ffbe9bc87bd198a13545fd2b87c0a2a187737fe726

        • C:\KaVB2H\dobdevec.exe

          Filesize

          2.6MB

          MD5

          a6a897a02f85a881d9b0fd214c310707

          SHA1

          bf8451284fb285ac1b3a7cca171d69b0cc7fe01e

          SHA256

          a5a3058e3202c44f028e20c2581830a77bf0c36a7173c3a92302ea92764a45af

          SHA512

          90d30e338f7deb5d568fc35b8ac389f35619c2de9b5e514f8e9c4f406ddd1443935ea97ecf7a9326374f78b4d7d6e037d151ed1e5f8c678fab622d25d92c29b7

        • C:\KaVB2H\dobdevec.exe

          Filesize

          2.6MB

          MD5

          c4974f4f46c724aeb09efcf6c12243af

          SHA1

          a6bef17f126a8a8ab98b0b7d9c58d44ff4d973a0

          SHA256

          7bdc55009592d1f5dbe73dc2ff185b4eeb747ac0e1347312ff1f3c53b800360d

          SHA512

          90e80e4caaeda523733cf5ebe7d6d18f48910a436e0f43dca68fc45d2454c564fee242f1587012b46c0c04e6b50ed8db2721d7657af211efbb41d4582d86619e

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          177B

          MD5

          cbe404409eab0d977ad6191f3ded2e35

          SHA1

          b0a66c8bfd9f00de61cac422f6f17a95b128c4bb

          SHA256

          1569329493a8ace82538b7edf157f11506acd2738811ba82ac8543b275527eb3

          SHA512

          49c81c8e219dfe07b2d07ba2ef0cd645e5888bac2c56ea8a298fb3a34553f575347e915f171dc775fc9f48cfb56c421e8fabeb95f8fb1879575152280837a661

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          209B

          MD5

          d575b2e982443c39d32137180db7900d

          SHA1

          e596419f925e0f9dfcf9f0b61468e4b47d918e14

          SHA256

          7151b93d9aaa15d88891d6fa480d9b9dbb2e36353ec24a15ae510039fb1e4057

          SHA512

          84207b0b31bc0465c045f638991c7e2b3d3fdefe39a261228326dccd421003d92f6419f90b1950fa4b3ee867e566c26a5fb9a3e4322eede84ad168ece23556ab

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          01218f407e5e5863390c3b1803bc2f33

          SHA1

          d19aaad7b23d54209b5cbb6ee037ad81950b11ed

          SHA256

          238c8c3b84ba212ade1c968af2b17595500c2657add5f02031d108cc816e86c3

          SHA512

          88d8356d85aaa7e74c614fb5c74be1e18e31dc98fe0e2a883561bce917cd06d7c5b9e1b1b7789890b7c9f6377bd89ab643d4bb65ccbf760194ebf4254732ec0c