Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe
Resource
win10v2004-20241007-en
General
-
Target
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe
-
Size
2.6MB
-
MD5
d1d59df8ac06d0567fe91e5a58b7e062
-
SHA1
66c0620362f5d81606d1597592611a8009da8f77
-
SHA256
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890
-
SHA512
80e49a9af30a1de1b6f992f0a45e8b3ea25d251fc2c2bfe450d424909bcf5f675c01e4b45c2c35ef76cf2d43d01391b945dc570f887f4ea867fce4e0604aa08e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxbod.exedevbodec.exepid Process 1876 sysxbod.exe 4548 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocI2\\devbodec.exe" a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB45\\optiaec.exe" a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
devbodec.exea557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exesysxbod.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exesysxbod.exedevbodec.exepid Process 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe 1876 sysxbod.exe 1876 sysxbod.exe 4548 devbodec.exe 4548 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exedescription pid Process procid_target PID 1072 wrote to memory of 1876 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 90 PID 1072 wrote to memory of 1876 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 90 PID 1072 wrote to memory of 1876 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 90 PID 1072 wrote to memory of 4548 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 92 PID 1072 wrote to memory of 4548 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 92 PID 1072 wrote to memory of 4548 1072 a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe"C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
-
C:\IntelprocI2\devbodec.exeC:\IntelprocI2\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57881f7b78a318fa8511dd4bf5af06cf2
SHA16426478f139a959aae92d4b3b17be37c8617aa4d
SHA2564d2109f75d1ab1ec6bf791c9e84533c6e8319c89d1d61ed9f45d09094eb7b8a3
SHA5121ea19ae343a92e9c605a43cd97b26c3e00a0ddf3cf0adcbc3c12009973e6c4a7f3616440788ec91dca7504208e9c385122458df85e3d6448a00f14dee7a6de44
-
Filesize
1.0MB
MD50cd612c6dac88cdcfeed4d16d02e91f5
SHA16635f247dc8698051428af8f17e266bebf9a93be
SHA2560ad3c3f909294d3dbc80aa4e713ab35ff0a31c6ddbf83a77f44c06d3e9a51467
SHA512a7ee43d5001aebbed1b570030ec6c6a86195d628abb7f68856d568554796406a22fef47ccba19630817ed76e45af54ab5ac76fb2894c74273925bf9f7bdbebdb
-
Filesize
2.6MB
MD5f1bd19beb5b738bf08bf84fdd0448b3a
SHA159c3ae42104bba7dd3775e896ecc71986e5e7827
SHA256b53c6195ef84564ee9b88106e29b867987b60901df81115200f2b54a33186512
SHA512d5decd97abc1cfd936e7862294b87ffb46a34acfa6e73cba463b2f2503bbe5f44499cba03ce9f8cfb31bf036c8cb26afe03aac9933697d7695d01b82feb7cbe7
-
Filesize
205B
MD5fbeb177b9ad7e8253c5c0991fb78b90e
SHA1678464792e954828a82bc3d1c8dd4972a78180b2
SHA2567a6802ef9c599f5734a51d03bd3f27a1d458f9b5373f800930ae63d0ccd15873
SHA5124ce911743c2336077bc88c91b77b21d80088246c2fdd7ac09afe4bf6e9a4ab5afa713e5526203712432f82d0670a2b68c4183a153a9479801c741fc7a1399f80
-
Filesize
173B
MD51061add7fa4a961c4f15c503cf927e83
SHA1c673d110e4f324aa8bac4282835b3484d2043bd2
SHA2563fb5cb85f3c49df444d7da8e0aac9a698bd09aa71c0f999c6c3f2aaafd5aac07
SHA512ccf3e18bcd71a6a44844303e1df57ef9b9e4fc9667e8ff0553c5f07511cd31c1d0ee1cc7727eae5d653e8a5689f21e3bd511e572d9325dc11ef083197c65403c
-
Filesize
2.6MB
MD551711671764bc1db3aee57c437d3a781
SHA1454da0fe0073504a43d7c3d77399a4c6834d90a3
SHA256dda6fdcff90b22c0ea4c89db3daceaa908f12b23480896c6fa26f2b5ac3cceb4
SHA512f460caf8e75c7ff05d0619578f9400c1ae43243b4283ebba09ea9ff64bc048e7a61dca4020e1de138895d6576aea17fd64ec56e9321b5c2471f4dd887e5ee6b9