Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 20:16

General

  • Target

    1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe

  • Size

    2.6MB

  • MD5

    7204795903d90d323e85f5187f2728a1

  • SHA1

    10dd0752e9ed7959ed28b992fdf71df7a0412beb

  • SHA256

    1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0

  • SHA512

    87179bc47902db598fef83161acfe2bf56841bd0586f05c04df683928c2a33fb1d1ddbcc9db48fe498b55d07645e83263ac0fdbcb233f624e484af535a1a89f5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpSb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
    "C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2824
    • C:\SysDrvY5\devdobec.exe
      C:\SysDrvY5\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2720

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ6N\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          58a3f67b7e0547ca04aeeb078b8d3027

          SHA1

          1bfe8e7515ebbc6c0b78f91640fb772b8cfe33b7

          SHA256

          0f35220f56c2c852dbcfae4793d5f6ced83107f180bb8adbff11c8986a9d51d7

          SHA512

          9748dbc6a510d64a9051a5e5a5e23b5c59ee0879cf5d0c49e80126544b794e0d2eb39dd998d2fb3349731e892a76b4dbe978242b13b494d8d9d7322b2a59df4f

        • C:\LabZ6N\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          5bf70e49a06df99f48614b74b15d434a

          SHA1

          0a0780e01d0dbaca69955b712964d42f74ca2aef

          SHA256

          55d8027ea15d27c9692d11168e3d862b2421308f989f183c88c402fd7dc1d4b1

          SHA512

          aff449100a7513dd74ad1ef8ae34bc7d9deb390faab35ad7a29bc9187fbe3f2df7b8655d86d666a73f881414ab219994f2b00bfce979878cfec1e8859f9bac52

        • C:\SysDrvY5\devdobec.exe

          Filesize

          2.6MB

          MD5

          31f1c6b73049d8dfbcd2d508df314b93

          SHA1

          397770e61453d5079c6ae695a09375da086e6c52

          SHA256

          7d64070726ddbb8d33eb4ed0827756f06b4b4cd3c2f26d309fe300596ef498e7

          SHA512

          992407621276faa43fc94ad2b141d51319d34bf49b861e006d778b29c984b784ce03943f06b187c57fe48afd612913eb0e14050396eed7c014f2147fbae42455

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          53042dd46a594493dd1be073cb201417

          SHA1

          088907f3f3c75c8ae7e654b00b598b8ae20c11ad

          SHA256

          ef69422d0852f478dfffc3a092bfffef71802d9f07ffd9bde327407fc8088b6e

          SHA512

          c8c4ffc837cf54c9f4206070575472d66786824ca134a608a9bc96a93b2c044f2e7c2070c751fcd5a6e26bf4759ec66533b433bf320511659cf0dea37e1a996a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          aa8b3c3faa39618e547e32fe0b2774b1

          SHA1

          d0ea88d57b78ba57f5bcaeac85ea2d4c70a23d1b

          SHA256

          58f80448decf025b135af3a191331d04ad4f5e6b8fb418f0de127756e8ca442e

          SHA512

          2d9866408aae6bea30b5c41b2b15016ec50a52d2af64d73789d43f9f4ab65ac82087be3365c624e04f836d7fb0ea08a36aa07696f80b1db418fd060671660d22

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          2.6MB

          MD5

          2b5e30427ee299541d459b50869a7e68

          SHA1

          22b20d0d32e6a7cabfccdd1982a5437ea667eab7

          SHA256

          95c60506b2e93e796e068b255674df1c6a168f8da3e2546f3c6cdcb5644e8e6c

          SHA512

          a4e2f4125f149ffd21da2b70148798ff625969f335958275b341dfbed374af34dfa339c5c6592db13ee599ef42d07249e9f8b318485750a09e286770672cee62