Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
Resource
win10v2004-20241007-en
General
-
Target
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
-
Size
2.6MB
-
MD5
7204795903d90d323e85f5187f2728a1
-
SHA1
10dd0752e9ed7959ed28b992fdf71df7a0412beb
-
SHA256
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0
-
SHA512
87179bc47902db598fef83161acfe2bf56841bd0586f05c04df683928c2a33fb1d1ddbcc9db48fe498b55d07645e83263ac0fdbcb233f624e484af535a1a89f5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpSb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe -
Executes dropped EXE 2 IoCs
pid Process 2824 sysdevbod.exe 2720 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY5\\devdobec.exe" 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6N\\dobdevloc.exe" 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe 2824 sysdevbod.exe 2720 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2824 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 31 PID 2260 wrote to memory of 2824 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 31 PID 2260 wrote to memory of 2824 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 31 PID 2260 wrote to memory of 2824 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 31 PID 2260 wrote to memory of 2720 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 32 PID 2260 wrote to memory of 2720 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 32 PID 2260 wrote to memory of 2720 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 32 PID 2260 wrote to memory of 2720 2260 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe"C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2824
-
-
C:\SysDrvY5\devdobec.exeC:\SysDrvY5\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD558a3f67b7e0547ca04aeeb078b8d3027
SHA11bfe8e7515ebbc6c0b78f91640fb772b8cfe33b7
SHA2560f35220f56c2c852dbcfae4793d5f6ced83107f180bb8adbff11c8986a9d51d7
SHA5129748dbc6a510d64a9051a5e5a5e23b5c59ee0879cf5d0c49e80126544b794e0d2eb39dd998d2fb3349731e892a76b4dbe978242b13b494d8d9d7322b2a59df4f
-
Filesize
2.6MB
MD55bf70e49a06df99f48614b74b15d434a
SHA10a0780e01d0dbaca69955b712964d42f74ca2aef
SHA25655d8027ea15d27c9692d11168e3d862b2421308f989f183c88c402fd7dc1d4b1
SHA512aff449100a7513dd74ad1ef8ae34bc7d9deb390faab35ad7a29bc9187fbe3f2df7b8655d86d666a73f881414ab219994f2b00bfce979878cfec1e8859f9bac52
-
Filesize
2.6MB
MD531f1c6b73049d8dfbcd2d508df314b93
SHA1397770e61453d5079c6ae695a09375da086e6c52
SHA2567d64070726ddbb8d33eb4ed0827756f06b4b4cd3c2f26d309fe300596ef498e7
SHA512992407621276faa43fc94ad2b141d51319d34bf49b861e006d778b29c984b784ce03943f06b187c57fe48afd612913eb0e14050396eed7c014f2147fbae42455
-
Filesize
174B
MD553042dd46a594493dd1be073cb201417
SHA1088907f3f3c75c8ae7e654b00b598b8ae20c11ad
SHA256ef69422d0852f478dfffc3a092bfffef71802d9f07ffd9bde327407fc8088b6e
SHA512c8c4ffc837cf54c9f4206070575472d66786824ca134a608a9bc96a93b2c044f2e7c2070c751fcd5a6e26bf4759ec66533b433bf320511659cf0dea37e1a996a
-
Filesize
206B
MD5aa8b3c3faa39618e547e32fe0b2774b1
SHA1d0ea88d57b78ba57f5bcaeac85ea2d4c70a23d1b
SHA25658f80448decf025b135af3a191331d04ad4f5e6b8fb418f0de127756e8ca442e
SHA5122d9866408aae6bea30b5c41b2b15016ec50a52d2af64d73789d43f9f4ab65ac82087be3365c624e04f836d7fb0ea08a36aa07696f80b1db418fd060671660d22
-
Filesize
2.6MB
MD52b5e30427ee299541d459b50869a7e68
SHA122b20d0d32e6a7cabfccdd1982a5437ea667eab7
SHA25695c60506b2e93e796e068b255674df1c6a168f8da3e2546f3c6cdcb5644e8e6c
SHA512a4e2f4125f149ffd21da2b70148798ff625969f335958275b341dfbed374af34dfa339c5c6592db13ee599ef42d07249e9f8b318485750a09e286770672cee62