Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 22:53

General

  • Target

    e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe

  • Size

    2.6MB

  • MD5

    99bb09ec08a756d69433b3d74452bb40

  • SHA1

    ff7b2379ab9fef415b751a26b37bcbcf75cfcc53

  • SHA256

    e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348

  • SHA512

    eb7d47e90f8f03aa3eca19735585fcfdb77746741543e0d40b7dce36f70447a1292e6fea0b9ced1b3fadcd4fa0c9b3697f8c6fb013611350fc2b82fbe8c8c140

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
    "C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2548
    • C:\SysDrvUF\devbodec.exe
      C:\SysDrvUF\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2932

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrvUF\devbodec.exe

          Filesize

          2.6MB

          MD5

          85e3d76c6e1037140521fc61b569fa5f

          SHA1

          a04251210ac9f13b99b3aedfe3ded1f76f2cbe10

          SHA256

          fb724dc0acbb4736e1696c344af5932d885bd0e2bf3b6ac99ac37e0abc1334bf

          SHA512

          05158b0bc53f42946a0ac34c1225ca66dcc1da890c70410f567fd4e57105e96015a8693d43cc3430a70e09d696a100bed8590ff098d7166437725c5192c4e445

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          141524b70056eca78247a4cfa55b90ba

          SHA1

          460552fcf0e7c80c46e7bbd87f401a64ca7eda42

          SHA256

          676e4f3c0ee346b061f44ebec8c5d18aa417a8ae7d06ce94690243d4afc59a0a

          SHA512

          5581503b102013765a2b1efd733c47860a32f6b6a0eb8114d4f11577e5e245f8a8a0150b3e2e77251ee5737964d18b9c0d9f2d72af38971017a019af644c8258

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          5e83204ef3fa4bce2de1e3ea10ab24b7

          SHA1

          a8c16d535f64bd84255a03da79c5cf9255b38f88

          SHA256

          c73da94fe1fb34969e5d53cab61806201369eef2d7f2a0f03879aefbbfbcbaf0

          SHA512

          c18d4e12535ffd11d277563c695366b0f07e18e70eb60563d96800b9748a365e8f8f1baa01269e991e6d76c6dc4dd065981f8711b218f7c46156df92adb35319

        • C:\VidPE\bodaec.exe

          Filesize

          2.2MB

          MD5

          91c69295f6b45020d2804a51bc5e50af

          SHA1

          fc976342eedb3e9f7ede9577c4fb98dddd8ec052

          SHA256

          9905b582841c010db0f17903dcf91a83c3066d729391b5a863135e9490daa776

          SHA512

          2ac6280ba837e82177e11c1111c61b121d297af073b860414853aff31df8266440b07cc50fbf9e39bc5a1b12c78363722533171b1f95889a489f515c9a52ec68

        • C:\VidPE\bodaec.exe

          Filesize

          2.6MB

          MD5

          f7d010d14c1c051d957992a6dfcab3ce

          SHA1

          bf851da7f6e53330991ec9227f0c74dfce7015f3

          SHA256

          0cc5edaeab931ab7ec7289303155a4477f29e43eacc364c5d1f101139c73140f

          SHA512

          19cb5fc3b076782535b9ce16a53ec238ebba328c1ef278a635e8caad7265d5e1a06d72887c844edb486d7567231133ef88da18d137113b62a9610322e5f2c3e4

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          a4cff8d98b430dc1c21c0869be3562b1

          SHA1

          bb9e68c7678253fa511b03d151ab0835dc266fc7

          SHA256

          36a35f23cd5efde5c7247c40113358b7622c46eb8c11b102df5d9091f9b66bf5

          SHA512

          a252e91bdefc017e990f9e4ab542814fc2e3d23e00881720aa7b6154600b21d56c3a7ffaedd9ece817f0bf62dbd6bae60a9b17a69252e3364ebf1de4a47611dd