Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
Resource
win10v2004-20241007-en
General
-
Target
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
-
Size
2.6MB
-
MD5
99bb09ec08a756d69433b3d74452bb40
-
SHA1
ff7b2379ab9fef415b751a26b37bcbcf75cfcc53
-
SHA256
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348
-
SHA512
eb7d47e90f8f03aa3eca19735585fcfdb77746741543e0d40b7dce36f70447a1292e6fea0b9ced1b3fadcd4fa0c9b3697f8c6fb013611350fc2b82fbe8c8c140
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe -
Executes dropped EXE 2 IoCs
pid Process 2548 sysaopti.exe 2932 devbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUF\\devbodec.exe" e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPE\\bodaec.exe" e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe 2548 sysaopti.exe 2932 devbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2548 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 31 PID 2064 wrote to memory of 2548 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 31 PID 2064 wrote to memory of 2548 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 31 PID 2064 wrote to memory of 2548 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 31 PID 2064 wrote to memory of 2932 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 32 PID 2064 wrote to memory of 2932 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 32 PID 2064 wrote to memory of 2932 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 32 PID 2064 wrote to memory of 2932 2064 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe"C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\SysDrvUF\devbodec.exeC:\SysDrvUF\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD585e3d76c6e1037140521fc61b569fa5f
SHA1a04251210ac9f13b99b3aedfe3ded1f76f2cbe10
SHA256fb724dc0acbb4736e1696c344af5932d885bd0e2bf3b6ac99ac37e0abc1334bf
SHA51205158b0bc53f42946a0ac34c1225ca66dcc1da890c70410f567fd4e57105e96015a8693d43cc3430a70e09d696a100bed8590ff098d7166437725c5192c4e445
-
Filesize
169B
MD5141524b70056eca78247a4cfa55b90ba
SHA1460552fcf0e7c80c46e7bbd87f401a64ca7eda42
SHA256676e4f3c0ee346b061f44ebec8c5d18aa417a8ae7d06ce94690243d4afc59a0a
SHA5125581503b102013765a2b1efd733c47860a32f6b6a0eb8114d4f11577e5e245f8a8a0150b3e2e77251ee5737964d18b9c0d9f2d72af38971017a019af644c8258
-
Filesize
201B
MD55e83204ef3fa4bce2de1e3ea10ab24b7
SHA1a8c16d535f64bd84255a03da79c5cf9255b38f88
SHA256c73da94fe1fb34969e5d53cab61806201369eef2d7f2a0f03879aefbbfbcbaf0
SHA512c18d4e12535ffd11d277563c695366b0f07e18e70eb60563d96800b9748a365e8f8f1baa01269e991e6d76c6dc4dd065981f8711b218f7c46156df92adb35319
-
Filesize
2.2MB
MD591c69295f6b45020d2804a51bc5e50af
SHA1fc976342eedb3e9f7ede9577c4fb98dddd8ec052
SHA2569905b582841c010db0f17903dcf91a83c3066d729391b5a863135e9490daa776
SHA5122ac6280ba837e82177e11c1111c61b121d297af073b860414853aff31df8266440b07cc50fbf9e39bc5a1b12c78363722533171b1f95889a489f515c9a52ec68
-
Filesize
2.6MB
MD5f7d010d14c1c051d957992a6dfcab3ce
SHA1bf851da7f6e53330991ec9227f0c74dfce7015f3
SHA2560cc5edaeab931ab7ec7289303155a4477f29e43eacc364c5d1f101139c73140f
SHA51219cb5fc3b076782535b9ce16a53ec238ebba328c1ef278a635e8caad7265d5e1a06d72887c844edb486d7567231133ef88da18d137113b62a9610322e5f2c3e4
-
Filesize
2.6MB
MD5a4cff8d98b430dc1c21c0869be3562b1
SHA1bb9e68c7678253fa511b03d151ab0835dc266fc7
SHA25636a35f23cd5efde5c7247c40113358b7622c46eb8c11b102df5d9091f9b66bf5
SHA512a252e91bdefc017e990f9e4ab542814fc2e3d23e00881720aa7b6154600b21d56c3a7ffaedd9ece817f0bf62dbd6bae60a9b17a69252e3364ebf1de4a47611dd