Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:16

General

  • Target

    a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe

  • Size

    2.6MB

  • MD5

    1e6b7b2d879e371aa812a340804422e2

  • SHA1

    f8b065132013f26d96ae33528799d359860c447b

  • SHA256

    a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526

  • SHA512

    4ae97bbe846fc04accf0463eca49feb7251d5118203b270fec651bfd0233eddb7589423bfe83e328ef44745889068e6f7bd94cc61718eadf79292058f4b6769c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSq:sxX7QnxrloE5dpUp8bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe
    "C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2516
    • C:\IntelprocM0\devdobsys.exe
      C:\IntelprocM0\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocM0\devdobsys.exe

    Filesize

    2.6MB

    MD5

    4a8ecbb858a393503f9c2c419b0f792a

    SHA1

    d1c54c4fa8e343ec86bc60eab3227c644907a260

    SHA256

    d3571251c1f97284e9c80e3498a75857c602eecadad865aacd41c6d38204a129

    SHA512

    74c8ddaac5ebbef36d1d5171f515efd7a161a939c455b36288f49efe558f3bc2e2f09298c773cba10c12a7dea470c94bbb6b8caa03ee63ce8eeaa92dd22c18c9

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    2fb258ad28a2cfec31d1d1f82ba19c37

    SHA1

    33edc57cd922f01b2e40ee5b0205a2f4f9d6479f

    SHA256

    d4ac7b135d019c49b514f0c9d7825a712d37695987a78c1f94d0f8edd9da90b5

    SHA512

    0185360ba22476110fa589234f9e7cef9408859fdcba447eeff51e9653d63e4ddfd67c15d17064a65da2f628d522fd42375cab50588698968ff4e9a19eb5cdaa

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    50bd0ec766749aa606de0aca5f05b103

    SHA1

    009978d0b5146213dcd1ecff4977daafdd6e2b66

    SHA256

    f4b6e3e0b214bd150730dcd609767cc69f8c63d68094c48f566fb32729fe6ca1

    SHA512

    cbdb9b025b664526df2041355160e444a3047439b5e9aa10222e982cb2a6518b9c8f2076835f89c5b7b613fa18704a2ca9c97f01acd30f81d652b0361fa3ceca

  • C:\VidMM\bodxec.exe

    Filesize

    2.6MB

    MD5

    5fca3193bc1596a76b40926e40eb9269

    SHA1

    40d52c8c9aaadf9c7179b3aae48c787d82952e8f

    SHA256

    11ed9dfb1e904bcc37c132c49f5178ecc443fc19270afd5e47c207b05c012705

    SHA512

    dcb3ce99756cba01b110201a5b2784992a4365eb06c977975156ca53397b474a9b711887524aceca861d0b9d2f0076374f2d4a6f37d314f331d89d7efc2dff7f

  • C:\VidMM\bodxec.exe

    Filesize

    2.6MB

    MD5

    aa5ac7fe03d220418f1bc9f39164088b

    SHA1

    49ea3925bcb8ec0fbc2c7e88b82e0f9f387c691f

    SHA256

    2bb96813e86234e85e25211473e0ce996d5bcac56c4a2eb4c0b9280e6034324e

    SHA512

    e21bcf77218af7d626e452b4ef56fb9706ff7533a9499bdbbf348d8ad74198de909433c4248b031e204362122c5f9081ce55af0f6da83d9aceff401cf6576bdf

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    2.6MB

    MD5

    b85c10824ccacc8221bde1336898512f

    SHA1

    7c4e8617e62f9822a1cd634261840d89f76573e0

    SHA256

    bbdc9124ac0651e9e155723c66a16a1e897d5e6cda1ff9a2ede6b643642c63e2

    SHA512

    4cd5647922c2bf7cbba03958824a1c002583f3d540030d9167b67adf555d8e455147411a6f8bcc4ad913fe6288ef6fce100f3f56a8ff7f33a7dfeca9d0548e09