Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
Resource
win10v2004-20241007-en
General
-
Target
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
-
Size
2.6MB
-
MD5
640fec66562ae3fdeec14844e2da29b0
-
SHA1
c74620f93493cfdbcee93b10c4c821fb55739241
-
SHA256
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5
-
SHA512
d736e38c9b366dcc2da152a889e7062aa0066dad57ddaf24839892a0bb19d9a33eb5a894b1c5bed38a57383aa288e0508ad859a81ddce968edf355ce1816b0b7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSq:sxX7QnxrloE5dpUpybV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe -
Executes dropped EXE 2 IoCs
pid Process 2532 sysdevbod.exe 2424 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files43\\adobec.exe" c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXJ\\optidevec.exe" c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe 2532 sysdevbod.exe 2424 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 108 wrote to memory of 2532 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 29 PID 108 wrote to memory of 2532 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 29 PID 108 wrote to memory of 2532 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 29 PID 108 wrote to memory of 2532 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 29 PID 108 wrote to memory of 2424 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 30 PID 108 wrote to memory of 2424 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 30 PID 108 wrote to memory of 2424 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 30 PID 108 wrote to memory of 2424 108 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe"C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2532
-
-
C:\Files43\adobec.exeC:\Files43\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5010abc54ad22b0097656874fb22a7154
SHA145bdf3c1248bfa8c3561f645584b422b09487bfd
SHA256705f76c68555180f761c8c851afc45b406822827d7f5552bd4b1e0d0b4814633
SHA512fa5324f35df376fc039ce4e3f804a6f788d3702b680d932e1c53d240d96195a223dda954f583c38f94a775656386606d2c16788dd30a1aaf3eae959c47311545
-
Filesize
2.6MB
MD579bfe05e39bed3bfe258dbcec08804a0
SHA13e53e6aa4b1fc5c4e86ffe88156a7ac8211189c7
SHA256a30939aec512942ef10cc3c8fb8f46c5c618571a7877daedf0f05e9d537ce373
SHA51254ee965900cc7509b8c6478389c499e31b93306efa7a38984d489b53a368ff5726c990b8e80446ed6d9a7831419b80a808edc40a6e157b8de51d2f2d92ea83c1
-
Filesize
2.6MB
MD520f0a6c2d04c94d3aea73a3cafd640cf
SHA1f0739c422f17fcc49d868fb2d2296d9465367ae2
SHA2561ab6252d7e5a406eb8688ac27e0aed57e7a3df230d1414c535b755cea2ff83a3
SHA512cd1c1de681e24c88957ecf8651b7235854a0ebb549969e96f8592b85c10717d91bbc4dcfd428050c81e5712b81bb141e1cc8af96c15badc47652594276cc6771
-
Filesize
2.6MB
MD50a1eafa7c08b57b9495781af29103e12
SHA10e2c05c394c6fe6656354e41816b5423f4728cae
SHA256cb81f4d5d67b59dee2a6badfcab81fd821a2acf16690ee128964a818be1d0f6a
SHA512e9afe3e2c9edc2220c3e0dc26232688d2a4f523708bef9c5f9f9a8bdc4278e8b00f0644157f645935eaf4bdd4b6ec230b468269915f0869940ffae1093fdb31f
-
Filesize
171B
MD57c8cbedd6ed0b62d42477f34f0cf22b5
SHA1dabdde4b895b9c6124e78557e5dce29598ff7ed7
SHA256f3190ace32657fe624ea548ddbf3c0a41a49c3db909b238a337b836309a863a4
SHA5122a77391042fc4044373612bcbf2f079c1b0205df50eb72b8da1336fd0c018616c85dc56d498fad2ac37f61a626a05d9910c8a521a2c376e2d6b2fbb6289cf282
-
Filesize
203B
MD5b293c8f04ac79f7315b9712ce906491b
SHA1497bb8b806ed3c7b2e38d1172830101cbb4e28f2
SHA256c323b8008e3a4d726e32d167144c8c0068472b25be70016465a92fc90d5a48fb
SHA5125c3d08bab6f0ac809c8b817b973e6b67486410cfe551594b993bf1a4c1ef10312df8762ef53535ef043a90f26e66460267cdb8d0b3706fe4a228024172a31608
-
Filesize
2.6MB
MD5dbbe794b7d1e9930c5e26b245b7ada9a
SHA17771e2b873cac53688dfee441ebd2b588b238a8a
SHA2560503db4a865ca857c2ead9e12f797776945bf8e97f79edc05247c7f2d5c53bb3
SHA512b8d71bf2c803b9b173c71bc2868eee5ac045ec7ab03a9cdefb54a92ce3a14de09d7699875deb89404700c8c05b31505f432e5499b7100c3ea78c7714c9e75bce