Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
Resource
win10v2004-20241007-en
General
-
Target
dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
-
Size
2.6MB
-
MD5
87728a415246cf1e3538fe76b2acf843
-
SHA1
3bce8a71a9c0718c9d3a044457ea55f8b3419bb4
-
SHA256
5176155f86655f989e23071d0faf656ee8d09890c0b52771cfff45dc93053a85
-
SHA512
39eb8df8e93f475534011eac272fb0a36909bd080b7d2db9ac04a0bb8fdf152117fc7a63c67400fc3bb5ef731be66f798f1822bddbb3ebdbf6b0fa2614a3d41d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSo:sxX7QnxrloE5dpUp0bT
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe -
Executes dropped EXE 2 IoCs
pid Process 2208 sysdevdob.exe 2276 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMD\\xbodsys.exe" dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0V\\optixloc.exe" dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe 2208 sysdevdob.exe 2276 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2208 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 30 PID 1936 wrote to memory of 2208 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 30 PID 1936 wrote to memory of 2208 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 30 PID 1936 wrote to memory of 2208 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 30 PID 1936 wrote to memory of 2276 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 31 PID 1936 wrote to memory of 2276 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 31 PID 1936 wrote to memory of 2276 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 31 PID 1936 wrote to memory of 2276 1936 dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe"C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2208
-
-
C:\UserDotMD\xbodsys.exeC:\UserDotMD\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55d6235788b46a9dee1986c1bb914ceb7
SHA15cacbe494f799d5568fac60050410e7967dd47ef
SHA256caf390032316c251e7ae458b55349a876a2c9d24e706b1c54c9bde2f225b744a
SHA512d02dff41b497ccd2a950baf208370d40320b920c15a81bd284f0d4167b7c73414c6e7efef2bf698b402e7864901d933bb6366b99894e384f05de656d55ce74c7
-
Filesize
172B
MD533e2ca8d6abce706be89ac75563e4559
SHA17ee1a2eb366a3514f7bf851befe031aeb99d4e13
SHA25602531be458aa3443e2b1c6c532a4656a8077c5e70bd8df1d9087b4d8a40c2566
SHA512890bd151a749477b6f353e7f709b6984b97fb397684dd117e4788d5ae2cc30fba86a4803d960410b9db10f8eaa7343c78ffec5c65679424ea05cd4443d3c1526
-
Filesize
204B
MD502cca08b61899ca1cabd9ee507ed9759
SHA1087617c854574d4496a105c3a8bb424db3835b2a
SHA2567f87bd4e7c4a30bd0c51a1c8debb4c312d1f3c259a5086418bba08dc51c325c0
SHA5127fe92a35d73b927b2b7a1cb36fac78ead7e54f7cb019b1b30fe6d0cf20e86afa16da83364398712137f19929c07e3371511b13a06fd56e5acfaf21022a9993cf
-
Filesize
2.6MB
MD52a32e378fb6b8725b7e720353b740465
SHA19d6cda576a0121827017718ad74516497b538f93
SHA2563c64e8a27955021f9fbd4dc00270fd6ab490d03422ca91995674a7440a767274
SHA512aad8a32a99580541556eb61775693a0099156dc65a32794ffb65769c4e1631c7f3524cc86a5b260b1cab8ea6626cf75e6e6772ce647318b1795fab95c6d3b3b9
-
Filesize
2.6MB
MD5aea195f125cb1ffbdb6fa52bf4899825
SHA16c6cbe889de925c6e52125e079859d32d7bb0d88
SHA256d79a627e9224a256402bec615f93c5bc1079647505b5e09ab4fbe6b1076f4a92
SHA512194053527370f4d21943e58c07c7da2cc8f378405060f6a148d6fd86c094d20f6b42403ada185a47e7658b0da8f73741c32b70440fb8d5c7d8a4e42e7fa3a415
-
Filesize
2.6MB
MD5ad4b324e659e4dc64963ce1d32bdca53
SHA183d67b82511aed7dda30c174322ac0138fb40b2c
SHA2565cdb35bc46e0890602b6e2cb181955909e6bc621f6b0cf9484fadb1f7998a849
SHA512562920c8b96e54a5e2957b11615b89d1fe46ef774eddfec459255ab0996cda4a375e7d5a904d2d7a252c6baaeacf615c610c97b4f90da4239219573f34c59862