Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 12:52
Static task
static1
Behavioral task
behavioral1
Sample
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
Resource
win10v2004-20241007-en
General
-
Target
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
-
Size
2.6MB
-
MD5
f0b744b1415c66f734160a603184c720
-
SHA1
3e3eb1b6ff0da239fed74b163db964a07989b53d
-
SHA256
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2f
-
SHA512
2eb3d293682bf0599ea86b7d455818f3201d0aa71a2d0e14ee43d5f9f63ec608f370a2ba299e5362906a244e402d58377d9e2a940d35992696e7f291a2eb6d76
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe -
Executes dropped EXE 2 IoCs
pid Process 2796 sysdevdob.exe 2896 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFR\\devoptiec.exe" 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0P\\bodxsys.exe" 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe 2796 sysdevdob.exe 2896 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2796 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 30 PID 2524 wrote to memory of 2796 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 30 PID 2524 wrote to memory of 2796 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 30 PID 2524 wrote to memory of 2796 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 30 PID 2524 wrote to memory of 2896 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 31 PID 2524 wrote to memory of 2896 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 31 PID 2524 wrote to memory of 2896 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 31 PID 2524 wrote to memory of 2896 2524 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe"C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
C:\IntelprocFR\devoptiec.exeC:\IntelprocFR\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5eca65871c84668c45b86f5299cd60f1c
SHA144e543f5b6f5e5ba5836d4694bb4a978878aaa24
SHA256f6fee2726577c41da6302e02f2c23e2d9ad33af47b6a2b8235cf671f290fb83f
SHA512ea241e6e5294b687687e0748bbba40a4beefbfb9cb45be12c15a5c5b66132c5657d7374f60f64c057fe20c52043cc8ad29ba99cd07f18c0c58659618665238a2
-
Filesize
175B
MD52af9834abb621af6fdbdf68e26cc8302
SHA1c272d094acb16e32330b4528359940f9923b166c
SHA25613c3f75d28565188f11d5c9581fc9358dff8ee90e7789f126c4819c8899ed74a
SHA512933f78aed13fae3b40774cf904be1211f066a86eef1d4879b7693072b1bd08d460dde3904be9fd5d731ac459461579364471fe3c788140c8c1627069fa318be1
-
Filesize
207B
MD5b243b9748d727fc4ac90146572c6da20
SHA1417f2d085d2ea4575d46ba3cf708114f25d8bb7f
SHA2569b71d4f1ee98c2b4aba18df3e18ce5c4c2388f2a603e95ebf883edff7e07eb53
SHA512a00d2f8faa2028643997c28d4a7b971157ed66074553775f82502b207338e61d88835269941cd3b4e0f28af1e3580450adc18413dca0f20278670a39dcb93a96
-
Filesize
2.6MB
MD55807a4828b5293bc637199ddadf141bb
SHA1f886f611f3c7e6d4dc5e07ecf116db49d33e727b
SHA256326a16681e27a370b76dd67b52fad91d912cc1fc43ba7d04a8aac6c34ac0592f
SHA51264c2bc0e9210a4eef522e283fbbb4b343a6aca6b1140a2cf2c68f1e99c44361e953604d9f5bd23961320590fd9e0b19876f9fafd3f7f07ffee7926c010205e74
-
Filesize
2.6MB
MD5b933d3f889f8aee7383a66e5ff269e1c
SHA1b5e2659797d41bb0af958ca1da1d07f844cd37a6
SHA2566151e93ad8ea8ea8088a687422c029bfdaead567147c2f6ccc3ca0f61f80eb7a
SHA512882165e4f3a815395595ae99013ed411fbe4b34698b22f405dab21375115dacf0e5335a9b45cef426686589064ffdce9c9201c88c02d4646278d05c8b79ffd0d
-
Filesize
2.6MB
MD57f7870aa35e3095cf0835790003e7dbc
SHA1be42d64437632ef111a7f1ea841a7f40a66cb098
SHA256810c66dbe5ef06cc7733f1eca7696b10d6327fd97a62f9e91a4f8ed7126285b4
SHA512150ea4102b2ee42b8fd0af8afbfbca76eecfd5bc9ff4de756f158c773ed0f8259352475d12041d3cd3d2cc1397b3ccc191f61647cbc0765988c01a9582fe5d36