Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 14:55

General

  • Target

    903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe

  • Size

    2.6MB

  • MD5

    69399404c4e89f3d89a19eec66a21b20

  • SHA1

    125d83a8131e31a04bc45b0c9ff9847d246c6b99

  • SHA256

    903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2

  • SHA512

    28397b318c5205b16e80b8a901c1d70ef71f48b3dacea6b1b101d689aab7ae6d7c2cd813c052158a12307cb238ec89f55e40f9f9ef3e6988a42d4bae1123123d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe
    "C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2236
    • C:\AdobeIV\devoptisys.exe
      C:\AdobeIV\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2872

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeIV\devoptisys.exe

          Filesize

          2.6MB

          MD5

          29bf8fc3e6e2d614243161c3116ad274

          SHA1

          7f3dd9afc7162f48bdbaa3046295347bc4e7396b

          SHA256

          53edf98b135e63d364bf544564bf4dba4eb912646b2cab4b39be579b7b54730f

          SHA512

          f8b2c1b827d6c4520dc8f33555c7270e1db4771859448a2edbcdf2ea0182217ed24a80e24abc1260861534399552351202c21a805f0bcecb78fbcdf1ec361ffa

        • C:\LabZUB\boddevec.exe

          Filesize

          2.6MB

          MD5

          ea923709029506384eeed6487dd94693

          SHA1

          b903e8f89756800565601cff6604f4ff30b35a95

          SHA256

          48fc3b0483cb5b62868b64fae977437c520d11850e348979e3bd35933de300dd

          SHA512

          b550a2d76d23f899bd53d6aad2226a26c745c1252a927889b993ae32230d344aa4c99d0961bbd4985935a349e1e6d5a4698702709c6f11d6c6ebf28273f165d1

        • C:\LabZUB\boddevec.exe

          Filesize

          2.6MB

          MD5

          e5eb85b7044afc2ed168ce80edb144de

          SHA1

          308e729893d39fce8d8c3cbe8e2fd4e6d48957d9

          SHA256

          83cbcc80b74d2dc8d7e76877c805de95189f960e750ce3295060d6efe16fd94c

          SHA512

          fd9340449b9bcf7218c05203e4ee78a85375ec4632a50d477c6e104fa2e870127be2caf4a7426430588b0d321d36ca7216e7f1d84128ee5e711ae8e21938d355

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          175B

          MD5

          ec6ecfb263758fbcbeb0484672d5f031

          SHA1

          76eb3e632bfc54b86cff94ddde740efd1f4d7dce

          SHA256

          784d239366191eed102166e80a76161cb37851d4f3fbab348512185ae6167a11

          SHA512

          e5769bdc751bb1dc2e4f60337e1bd71d7de7da05a491d85cc4f05b2647f0f23c8bbe770341df69712627886ec8ef80a76f9f138c0df4ab438b03993c6614130c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          207B

          MD5

          b99e25411fca632210976f10c4ce7907

          SHA1

          da3a5bc108233c66d97c1c5772c31f88af08c1b9

          SHA256

          69931423601356d1233f7968783da97deaf5e260e83ec6187c2096a03ad1115f

          SHA512

          355030f8b02cb348633333da5b80a50b4f9a2902cee04a84da74f82be2bdcbfa118384437383e3125ed7aa19ce51794acecfd29a69cb8295aa8664131a6165b0

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

          Filesize

          2.6MB

          MD5

          6c3461d59d1f2a5cbf7800e4ca89dcd9

          SHA1

          6dcd57c37cdf26f9b85dfdb57207630013357d16

          SHA256

          3fcdd79cf22920ee8a9ce2bdc92a06a31a90ef21a5c3c1f959b7027aa17d1012

          SHA512

          0e43deeb7359c2db59a7dd8188b78e1859681257a2fe4d21aa2a425566727eaedab9c603519e8daf0db1838b75d0c1aa97de59e48cf3da1cc65c281104e5c9aa