Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:41

General

  • Target

    adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe

  • Size

    2.6MB

  • MD5

    d4a5cb207156f346c2cb2b2aa3bd6260

  • SHA1

    dc959d1342dd6048efcc3bad5a9289f9a913d695

  • SHA256

    adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335

  • SHA512

    766360b90bd0f15c6785f3b19a547b45d3e94028617396beb1f49da2220c78c95940630500568b57130ddef9f65c21f18632e44974eff8a958543ff2c2c09b1b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSq:sxX7QnxrloE5dpUptbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe
    "C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2672
    • C:\SysDrv5I\devoptiec.exe
      C:\SysDrv5I\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrv5I\devoptiec.exe

    Filesize

    9KB

    MD5

    16a4bb0fc3d5c44be3028068af1ea1ef

    SHA1

    3525da0805ed7773dfef437f24482b727389e9db

    SHA256

    cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d

    SHA512

    b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    7021160d1d1850a1df1ce6339fc1785b

    SHA1

    2a848deb9736fc61c4f80683615b83b8d3d70b56

    SHA256

    501fd2364f86f73c72b8d3a688cc05471be4680e1ac98de0606d7e273f716e8c

    SHA512

    87ca3a59e27fdc5fdcb82ef9473ceb61863aa653612d4a0a2e86d9375f88c09baa7a81675faad74374d935f610a54ec22cc95d88b4f3c28493c4fe1a7284f7ef

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    46ab6e41f27ca2a473f361a394b6178f

    SHA1

    fe90af481aa021b2624e4ea4ebcd80f3c36c138e

    SHA256

    25887acb50746a08253cb111854b2dd0152fa92fad085d30c7d9c4ec51c47332

    SHA512

    d43d4b508f7e6cf696ded3f8e46a54e44ae359d574edf5a5c43191d8553757b082c743165f8554b414e187cbcb59fe745b3a998b658d803f9efff7ee950f7646

  • C:\VidRZ\bodxloc.exe

    Filesize

    11KB

    MD5

    4b15a8dc60fb28ba194308947f8d0bdf

    SHA1

    addcf6f0cc5dc9577f5354dd3efdf91843caddb2

    SHA256

    eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152

    SHA512

    35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e

  • C:\VidRZ\bodxloc.exe

    Filesize

    2.6MB

    MD5

    0d3beabd837f3aef510839ed6d446a61

    SHA1

    f210c1cabd85693033210b8bb5142b271dd32e2f

    SHA256

    bc2a0eac38af86e2a40b63870a7b43c32821a44f7020b0de846343e95f601cf5

    SHA512

    bb36d1275372c134f29d6ae1c322408757dfa25ecc0ea64994d10d07c2830f576a1befeff5fa8b5f4cf8c41fdd1863de120bb728704fbe8f411f255dcbbe298c

  • \SysDrv5I\devoptiec.exe

    Filesize

    2.6MB

    MD5

    e6506fff8a5b71e4f18698f6a66be1d1

    SHA1

    9de54cf31065efc84e50a43c82a04ee3220f88aa

    SHA256

    768f37a2372d4198d2e0efd4f779058de772a1dd707d75b3a0915860c74c81aa

    SHA512

    09e8f034197d6c5c7479a8df2bfdb1cb31c1d5df75910cb01373228457089d5710a87fca4242cc1a672e9b81de6ad87b044e5fb26319fad482f18e5297fca277

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    2.6MB

    MD5

    9a3c868a49c2dc4f6c610e710fca6833

    SHA1

    f27bec7cb945da454421e6e764244f7daae54f78

    SHA256

    4a7d7b808f1fdd6a25c2e2885cfc2fd7fdcf1adc79ba15c35a1f26a96c1c8ddf

    SHA512

    79117f659f1b229cbefff646025f775636d49d0e67b0d1f544e8c773ba70bd40116129aebfd6470d73d8262a895594836459209d479fcd1b9d54b879db5b1b59