Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 14:25

General

  • Target

    53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe

  • Size

    2.6MB

  • MD5

    39e078a66e22cf574d8ff712bd217040

  • SHA1

    857a3a5925b81392e954c9d98555d15433b190f4

  • SHA256

    53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628a

  • SHA512

    4073d533a854238a8c8ca21de8a9250fab81be71512c692803a3098237811147ab89aa5e4faf2794c89d46fce20a9833c4c163fb7f004aa261663cc60e10e1a7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpYb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
    "C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2548
    • C:\SysDrvFT\devbodloc.exe
      C:\SysDrvFT\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2932

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintXW\dobdevec.exe

          Filesize

          2.6MB

          MD5

          e67dc6834ce31d29f50136660d095421

          SHA1

          83bb30820d93520ff880aac872bbc5c553d6908b

          SHA256

          1f905f47cfa431c6b5609dbe5776a9d2a1c4b2f45bdc48d2906fec9ac462b1a3

          SHA512

          a46129641a99403f861cf582f1f6e48afc06cd6463b28eeb6814ffa63bdcba0e4174ac4dc3c801586399395b444e2abdbc0415eaa706389b3d014c8e56189070

        • C:\MintXW\dobdevec.exe

          Filesize

          2.6MB

          MD5

          5a66ee79c55767a5ece19ef4b01a5783

          SHA1

          afecff18f15bcf5f7efc93a90fe919aece258d27

          SHA256

          be5ac3d16e4ddcb83200e8371c6869844df96b8bfb696c30a6b60a11e96852f9

          SHA512

          8f0861dc731545e7cb493915ec7094bfb6b276acc534c45a233efc875eba9262d858f04973f45d4fc5439a2345922d67781e6fabc7c69c5bbfe0db52e0947881

        • C:\SysDrvFT\devbodloc.exe

          Filesize

          2.6MB

          MD5

          1d0092807d5e32a4fb5b62e91b0cbcae

          SHA1

          a9ce9d5061d1c291f2005992d0718692e48e3a65

          SHA256

          165ee61ae2cdb579a6da3b2b81c0b7a0e6b883682f91de9d59d51b13799a2d1e

          SHA512

          902ea39ac673c4ed9429a005f62a718198ecdef67286afdcd9db772383dc6f44b8d712a905eca23a96d510543eee5f513ab0eea42e9911b387952ba61c3e4d49

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          1011729555b515ee2a4479f740e8b4a6

          SHA1

          f76c1e45d0fd8c390113cd250a5069d9610bf796

          SHA256

          629a5fddd520006c56f2873c429d80105d120d355648751141f49aa41e31a804

          SHA512

          98196db4170cc975281b79b4498d15015c2160993a69e3d6d5d0cde3ac8dd92303a0a831cfa3bf952473fe456d74d2045fb8ce724993c39958ba7ec61921a353

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          eb65eaf83cdc950dec0500d22dcbec85

          SHA1

          cc500b523aecf9be8b84b38cacc770be5d2e56bd

          SHA256

          1e246bddcc3c2f3947ada3c5542d79244107c267d661a467f38801070ad747cb

          SHA512

          d0a92d7c9e9dc10e84e9e8213d982066b27ce530e94c9fa82c329f5acb13f201688c77d2367f64af99f0e6a62cb37167f50165acaccdcf4813ed2c436f0aa5eb

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          ecd23616b7febb3e8f9cb3f555c52ffd

          SHA1

          77c702e25ba61a529f3b987e1093c36b46e7947f

          SHA256

          e575fc1dacb8b5d6788b7b3b581d72468f20877c4dda4d32862fd89559f81d2c

          SHA512

          a108fce7c5bcb1029c8520e9a1561da021849895123c4af12a15eb09724e14a10287b9297e90f2ebcd01cfbb4d052423abc3f78d37b1436b883e055b2dfcac37