Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:24

General

  • Target

    6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe

  • Size

    2.6MB

  • MD5

    6d95fae96a1934e6ddb07952c4ff8650

  • SHA1

    6750b89dc3d53d195b1f4b20be35f12688e3de66

  • SHA256

    6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c

  • SHA512

    dbcd23134f03e33b8331b37f8fa2b138c75bebae3e8729cf412599cdbacdc9b0fae6058b921d0e99f14c4cea29173a1936ffb960f99370e2eec45a9f7ebb0adc

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSq:sxX7QnxrloE5dpUpjbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
    "C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:32
    • C:\AdobeBV\devbodec.exe
      C:\AdobeBV\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3648

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeBV\devbodec.exe

          Filesize

          2.6MB

          MD5

          6f2ea52125b8a0cb73556c7043ca0f25

          SHA1

          5c120d0a5b17ea5ca94cd55e1cc2eec8998cc333

          SHA256

          412766d2a986160186b318061835cb590e423c81519c7e5b6e085f85bf68af45

          SHA512

          2a56fae238f69199a7f9d4c6f513d976c87f530ded9764a544d5c39d35e4f07697998d4476e42f039b9784d46125fde1c3e720f27bce5db1a74dcfb06a15d680

        • C:\LabZV1\dobxsys.exe

          Filesize

          2.6MB

          MD5

          f4b607f86090f06baed145c3eacc9b58

          SHA1

          d1164ece0173e7b46d4b81f790f0f978a446b864

          SHA256

          0061458d3ddc80246cd94abdf5dff21928397f51d84dfdc53459db9c774c29a4

          SHA512

          ab514828d74638c637f1fcf22dc32b7c219442ae89e45bbf8860c67c206cf9cd1392c105d980876b589efa2f1f980c5b1d919cae3609dc6d0ffcd7b2091e467c

        • C:\LabZV1\dobxsys.exe

          Filesize

          2.6MB

          MD5

          397744892b5d8f39e5182b54b2f2461c

          SHA1

          2df4ec700687effefadec70e755676fc7296c016

          SHA256

          d272e422ca81489289414b2a86b3b7a7a7826c1833fdd9756c9f1fde716fa75e

          SHA512

          1c30161ceaa8cb5c82cb81c49486a3426c55412cab9ece1790dd680d2c53ebfe25c15f0b25ea09232764a71f5e0c6f1ffe9b59cae844787bd078e2b39b97626e

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          04fe157d1769b0862d13c99f89828fc2

          SHA1

          0da7dc3dd9bba784909071370f118b946e9663db

          SHA256

          6d89a56d113f0c1240b9098ddf4e3ba79484b1384592ea0f308a831c9355a19f

          SHA512

          f54e6dee9218650502e57c94cdfe7dc14618b634ab2ea140f88f73804b1e07f4b580d2f6c66dbe88a063ef216dfbd1e3d568ce137cdcc5b406d11d54bcf0a430

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          dcbe537276dd167a9057b36acb948a79

          SHA1

          3500929210bb4f4c9f21e81e156790a392ba240e

          SHA256

          28cd43aa1f41d171bfea5f27f44f036ec30b0c693ce1992a01191fe5b2e0971d

          SHA512

          6bdcd253ce07b5b096c9b6473b6fa3230504ac858a726a5c997b4ed64d56677efcf2a75f1a5e81fb51f3289b86aeaef650b76fc6ee60397216421d945a753be7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          8039c061ccf4b71cbb4483534236ff11

          SHA1

          c4af1ef91835ae3d56f917f9897ad8e20e17d184

          SHA256

          2109ec743ccf74e4d98b41fb9578eea8c7cd6166af779559345f97c981a14163

          SHA512

          fdfa76fa794b6e2c6977c06fa48465a380718acb360b63ee9a2bae61a1b686b59226fb7b88037f3a17037694a7ae7b07fd52dd6dfd807543df55a6e92fd448e3