Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
Resource
win10v2004-20241007-en
General
-
Target
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
-
Size
2.6MB
-
MD5
94e10e447e2a27fbe826f53226aafc60
-
SHA1
0cf3b90fbcad5eacf96fbb85ee2ea9b675918b8f
-
SHA256
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61
-
SHA512
3f4b0a685bb2d64c49689406f7c140d9488c64b53f154e69667a738f8eff66e77c29b8f341c32e4052e38ae8ca9528ce4700e7abecc7ce8fc772b2e971681519
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpYb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe -
Executes dropped EXE 2 IoCs
Processes:
sysadob.exedevbodec.exepid process 2348 sysadob.exe 4592 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvCY\\devbodec.exe" 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFP\\boddevsys.exe" 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exesysadob.exedevbodec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exesysadob.exedevbodec.exepid process 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe 2348 sysadob.exe 2348 sysadob.exe 4592 devbodec.exe 4592 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exedescription pid process target process PID 5092 wrote to memory of 2348 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe sysadob.exe PID 5092 wrote to memory of 2348 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe sysadob.exe PID 5092 wrote to memory of 2348 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe sysadob.exe PID 5092 wrote to memory of 4592 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe devbodec.exe PID 5092 wrote to memory of 4592 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe devbodec.exe PID 5092 wrote to memory of 4592 5092 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe devbodec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe"C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\SysDrvCY\devbodec.exeC:\SysDrvCY\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD58722a447f61ffe9d22d59fd0342ccf10
SHA1826bbfbb0ed172381a61dc1904ae4ed9c90d02ae
SHA256e5ea5445b1355be949760b8d3409b4aa831b521e8828d60b254e6c91b67800de
SHA5122dfe8e4a37d48d578fb19ab4c43ba773635f285acae7f154930f240179812021c46c16eb3a4fa7a846e4f8bee98eff71eceaabb882cb45162a223ea0724956fa
-
Filesize
2.6MB
MD53627eab6936fbc3551462284d0743d11
SHA14a0636a537e0f5a4b6f88d54509b930f5317c9c5
SHA2560b1fd4086ec3a95c55f56cb1b9188025f9b301ca1f52bcef9a6b2a23c2827934
SHA512f94feedb95683d05923f920e2402a5a821509c4aab54ca56176e8c25e4b76985ac7a3931362907e8addd6e880f2e05d70dffd66fdfc8bad46fea70b9172696c5
-
Filesize
1.4MB
MD5665950aa252892be60312cf3e53ae228
SHA1af5498b6db64251a20f415701b7781c696bec1b1
SHA25676d5b26a8f51dac028db6cb1dfeeefb86a2d7429f76f80f55b669f2719b4b4c2
SHA51241182484adf804ef2dffc2f7739469fa23c7c5d1cedb70aeec3a305b4da40b50ba9cf89b89f6a74532b76b7258fd63375d39cdd880e831c38aa8c784b7046c2e
-
Filesize
2.6MB
MD51780c52aac8424bd6bd06134a9f5278f
SHA1e86e58ebd04f94f43c216278beddd361643b59c0
SHA256ef528b4eacde9533e50a102cc8ba50e145cfb5dd514b13acbc9bdae0f1d1b5d5
SHA512b5b3629df086cedf205814a2495d878cacfab5c757111a3bb8b4fcf6a08fbb9629ecf6b5d0d6ffb6a091b7fc12a7f09751859c60464db5d816c1c785b8f991b1
-
Filesize
204B
MD566716451e65c0b4ab7d2009794bec75d
SHA19f329d24f2b98ffc36baf76ed36c8b898669f76e
SHA2564d76ba7fb07c03f3b194d1b4d79d7171badd4662dbd3d01ccb0f4e7a6dd14f48
SHA5127749db2c2069522344a76eb573511f65c7a66d3c9cd11f703a8b111d752db331aaa3b5f6bdca4cbac84ef8c5cac6be49121e07dff7670e04db3dd7310eb74b22
-
Filesize
172B
MD551830f4f19ef68ed5822e947622324ce
SHA1d0b55c525cdc1a62644acd3da91b23b38097dd1d
SHA256b0ff4393d62922ebb054a78ffe51758e1086f552e5b6c5217460c9599eff9b85
SHA51266f1abd8cb570fdaf9972051637eb357cabcdef78cca937f56b90285f18469e40dd796c1121955951b38db01ce06a071500343b69dc47454e203fd33bb1c48a3
-
Filesize
2.6MB
MD5e333a298aff8ce442bddb527bfb2108c
SHA155872f02983dc0625f5754ea9283b4b324316c48
SHA25680ad627aee4612d13d1a4cf6b4472ab15aec5516b2c9408d0407ceaeaaae036b
SHA512587eb00f27d7cb6533cc727e65919aef0744c03f0d777e5d9015da1a867631ec64db0e25aafc79e628e39f3343fcd1f66a6886d2ba3746e74a97f4a6adda0932