Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
Resource
win10v2004-20241007-en
General
-
Target
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
-
Size
2.6MB
-
MD5
39e078a66e22cf574d8ff712bd217040
-
SHA1
857a3a5925b81392e954c9d98555d15433b190f4
-
SHA256
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628a
-
SHA512
4073d533a854238a8c8ca21de8a9250fab81be71512c692803a3098237811147ab89aa5e4faf2794c89d46fce20a9833c4c163fb7f004aa261663cc60e10e1a7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpYb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe -
Executes dropped EXE 2 IoCs
pid Process 2548 sysabod.exe 2932 devbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFT\\devbodloc.exe" 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXW\\dobdevec.exe" 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe 2548 sysabod.exe 2932 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2548 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 31 PID 2064 wrote to memory of 2548 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 31 PID 2064 wrote to memory of 2548 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 31 PID 2064 wrote to memory of 2548 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 31 PID 2064 wrote to memory of 2932 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 32 PID 2064 wrote to memory of 2932 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 32 PID 2064 wrote to memory of 2932 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 32 PID 2064 wrote to memory of 2932 2064 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe"C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\SysDrvFT\devbodloc.exeC:\SysDrvFT\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e67dc6834ce31d29f50136660d095421
SHA183bb30820d93520ff880aac872bbc5c553d6908b
SHA2561f905f47cfa431c6b5609dbe5776a9d2a1c4b2f45bdc48d2906fec9ac462b1a3
SHA512a46129641a99403f861cf582f1f6e48afc06cd6463b28eeb6814ffa63bdcba0e4174ac4dc3c801586399395b444e2abdbc0415eaa706389b3d014c8e56189070
-
Filesize
2.6MB
MD55a66ee79c55767a5ece19ef4b01a5783
SHA1afecff18f15bcf5f7efc93a90fe919aece258d27
SHA256be5ac3d16e4ddcb83200e8371c6869844df96b8bfb696c30a6b60a11e96852f9
SHA5128f0861dc731545e7cb493915ec7094bfb6b276acc534c45a233efc875eba9262d858f04973f45d4fc5439a2345922d67781e6fabc7c69c5bbfe0db52e0947881
-
Filesize
2.6MB
MD51d0092807d5e32a4fb5b62e91b0cbcae
SHA1a9ce9d5061d1c291f2005992d0718692e48e3a65
SHA256165ee61ae2cdb579a6da3b2b81c0b7a0e6b883682f91de9d59d51b13799a2d1e
SHA512902ea39ac673c4ed9429a005f62a718198ecdef67286afdcd9db772383dc6f44b8d712a905eca23a96d510543eee5f513ab0eea42e9911b387952ba61c3e4d49
-
Filesize
172B
MD51011729555b515ee2a4479f740e8b4a6
SHA1f76c1e45d0fd8c390113cd250a5069d9610bf796
SHA256629a5fddd520006c56f2873c429d80105d120d355648751141f49aa41e31a804
SHA51298196db4170cc975281b79b4498d15015c2160993a69e3d6d5d0cde3ac8dd92303a0a831cfa3bf952473fe456d74d2045fb8ce724993c39958ba7ec61921a353
-
Filesize
204B
MD5eb65eaf83cdc950dec0500d22dcbec85
SHA1cc500b523aecf9be8b84b38cacc770be5d2e56bd
SHA2561e246bddcc3c2f3947ada3c5542d79244107c267d661a467f38801070ad747cb
SHA512d0a92d7c9e9dc10e84e9e8213d982066b27ce530e94c9fa82c329f5acb13f201688c77d2367f64af99f0e6a62cb37167f50165acaccdcf4813ed2c436f0aa5eb
-
Filesize
2.6MB
MD5ecd23616b7febb3e8f9cb3f555c52ffd
SHA177c702e25ba61a529f3b987e1093c36b46e7947f
SHA256e575fc1dacb8b5d6788b7b3b581d72468f20877c4dda4d32862fd89559f81d2c
SHA512a108fce7c5bcb1029c8520e9a1561da021849895123c4af12a15eb09724e14a10287b9297e90f2ebcd01cfbb4d052423abc3f78d37b1436b883e055b2dfcac37