Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:42

General

  • Target

    668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe

  • Size

    2.6MB

  • MD5

    94e10e447e2a27fbe826f53226aafc60

  • SHA1

    0cf3b90fbcad5eacf96fbb85ee2ea9b675918b8f

  • SHA256

    668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61

  • SHA512

    3f4b0a685bb2d64c49689406f7c140d9488c64b53f154e69667a738f8eff66e77c29b8f341c32e4052e38ae8ca9528ce4700e7abecc7ce8fc772b2e971681519

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpYb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
    "C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2348
    • C:\SysDrvCY\devbodec.exe
      C:\SysDrvCY\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBFP\boddevsys.exe

    Filesize

    19KB

    MD5

    8722a447f61ffe9d22d59fd0342ccf10

    SHA1

    826bbfbb0ed172381a61dc1904ae4ed9c90d02ae

    SHA256

    e5ea5445b1355be949760b8d3409b4aa831b521e8828d60b254e6c91b67800de

    SHA512

    2dfe8e4a37d48d578fb19ab4c43ba773635f285acae7f154930f240179812021c46c16eb3a4fa7a846e4f8bee98eff71eceaabb882cb45162a223ea0724956fa

  • C:\KaVBFP\boddevsys.exe

    Filesize

    2.6MB

    MD5

    3627eab6936fbc3551462284d0743d11

    SHA1

    4a0636a537e0f5a4b6f88d54509b930f5317c9c5

    SHA256

    0b1fd4086ec3a95c55f56cb1b9188025f9b301ca1f52bcef9a6b2a23c2827934

    SHA512

    f94feedb95683d05923f920e2402a5a821509c4aab54ca56176e8c25e4b76985ac7a3931362907e8addd6e880f2e05d70dffd66fdfc8bad46fea70b9172696c5

  • C:\SysDrvCY\devbodec.exe

    Filesize

    1.4MB

    MD5

    665950aa252892be60312cf3e53ae228

    SHA1

    af5498b6db64251a20f415701b7781c696bec1b1

    SHA256

    76d5b26a8f51dac028db6cb1dfeeefb86a2d7429f76f80f55b669f2719b4b4c2

    SHA512

    41182484adf804ef2dffc2f7739469fa23c7c5d1cedb70aeec3a305b4da40b50ba9cf89b89f6a74532b76b7258fd63375d39cdd880e831c38aa8c784b7046c2e

  • C:\SysDrvCY\devbodec.exe

    Filesize

    2.6MB

    MD5

    1780c52aac8424bd6bd06134a9f5278f

    SHA1

    e86e58ebd04f94f43c216278beddd361643b59c0

    SHA256

    ef528b4eacde9533e50a102cc8ba50e145cfb5dd514b13acbc9bdae0f1d1b5d5

    SHA512

    b5b3629df086cedf205814a2495d878cacfab5c757111a3bb8b4fcf6a08fbb9629ecf6b5d0d6ffb6a091b7fc12a7f09751859c60464db5d816c1c785b8f991b1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    66716451e65c0b4ab7d2009794bec75d

    SHA1

    9f329d24f2b98ffc36baf76ed36c8b898669f76e

    SHA256

    4d76ba7fb07c03f3b194d1b4d79d7171badd4662dbd3d01ccb0f4e7a6dd14f48

    SHA512

    7749db2c2069522344a76eb573511f65c7a66d3c9cd11f703a8b111d752db331aaa3b5f6bdca4cbac84ef8c5cac6be49121e07dff7670e04db3dd7310eb74b22

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    51830f4f19ef68ed5822e947622324ce

    SHA1

    d0b55c525cdc1a62644acd3da91b23b38097dd1d

    SHA256

    b0ff4393d62922ebb054a78ffe51758e1086f552e5b6c5217460c9599eff9b85

    SHA512

    66f1abd8cb570fdaf9972051637eb357cabcdef78cca937f56b90285f18469e40dd796c1121955951b38db01ce06a071500343b69dc47454e203fd33bb1c48a3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    e333a298aff8ce442bddb527bfb2108c

    SHA1

    55872f02983dc0625f5754ea9283b4b324316c48

    SHA256

    80ad627aee4612d13d1a4cf6b4472ab15aec5516b2c9408d0407ceaeaaae036b

    SHA512

    587eb00f27d7cb6533cc727e65919aef0744c03f0d777e5d9015da1a867631ec64db0e25aafc79e628e39f3343fcd1f66a6886d2ba3746e74a97f4a6adda0932