Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
Resource
win10v2004-20241007-en
General
-
Target
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
-
Size
2.6MB
-
MD5
6d95fae96a1934e6ddb07952c4ff8650
-
SHA1
6750b89dc3d53d195b1f4b20be35f12688e3de66
-
SHA256
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c
-
SHA512
dbcd23134f03e33b8331b37f8fa2b138c75bebae3e8729cf412599cdbacdc9b0fae6058b921d0e99f14c4cea29173a1936ffb960f99370e2eec45a9f7ebb0adc
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSq:sxX7QnxrloE5dpUpjbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe -
Executes dropped EXE 2 IoCs
pid Process 32 sysabod.exe 3648 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeBV\\devbodec.exe" 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZV1\\dobxsys.exe" 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe 32 sysabod.exe 32 sysabod.exe 3648 devbodec.exe 3648 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1096 wrote to memory of 32 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 87 PID 1096 wrote to memory of 32 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 87 PID 1096 wrote to memory of 32 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 87 PID 1096 wrote to memory of 3648 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 88 PID 1096 wrote to memory of 3648 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 88 PID 1096 wrote to memory of 3648 1096 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe"C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:32
-
-
C:\AdobeBV\devbodec.exeC:\AdobeBV\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56f2ea52125b8a0cb73556c7043ca0f25
SHA15c120d0a5b17ea5ca94cd55e1cc2eec8998cc333
SHA256412766d2a986160186b318061835cb590e423c81519c7e5b6e085f85bf68af45
SHA5122a56fae238f69199a7f9d4c6f513d976c87f530ded9764a544d5c39d35e4f07697998d4476e42f039b9784d46125fde1c3e720f27bce5db1a74dcfb06a15d680
-
Filesize
2.6MB
MD5f4b607f86090f06baed145c3eacc9b58
SHA1d1164ece0173e7b46d4b81f790f0f978a446b864
SHA2560061458d3ddc80246cd94abdf5dff21928397f51d84dfdc53459db9c774c29a4
SHA512ab514828d74638c637f1fcf22dc32b7c219442ae89e45bbf8860c67c206cf9cd1392c105d980876b589efa2f1f980c5b1d919cae3609dc6d0ffcd7b2091e467c
-
Filesize
2.6MB
MD5397744892b5d8f39e5182b54b2f2461c
SHA12df4ec700687effefadec70e755676fc7296c016
SHA256d272e422ca81489289414b2a86b3b7a7a7826c1833fdd9756c9f1fde716fa75e
SHA5121c30161ceaa8cb5c82cb81c49486a3426c55412cab9ece1790dd680d2c53ebfe25c15f0b25ea09232764a71f5e0c6f1ffe9b59cae844787bd078e2b39b97626e
-
Filesize
201B
MD504fe157d1769b0862d13c99f89828fc2
SHA10da7dc3dd9bba784909071370f118b946e9663db
SHA2566d89a56d113f0c1240b9098ddf4e3ba79484b1384592ea0f308a831c9355a19f
SHA512f54e6dee9218650502e57c94cdfe7dc14618b634ab2ea140f88f73804b1e07f4b580d2f6c66dbe88a063ef216dfbd1e3d568ce137cdcc5b406d11d54bcf0a430
-
Filesize
169B
MD5dcbe537276dd167a9057b36acb948a79
SHA13500929210bb4f4c9f21e81e156790a392ba240e
SHA25628cd43aa1f41d171bfea5f27f44f036ec30b0c693ce1992a01191fe5b2e0971d
SHA5126bdcd253ce07b5b096c9b6473b6fa3230504ac858a726a5c997b4ed64d56677efcf2a75f1a5e81fb51f3289b86aeaef650b76fc6ee60397216421d945a753be7
-
Filesize
2.6MB
MD58039c061ccf4b71cbb4483534236ff11
SHA1c4af1ef91835ae3d56f917f9897ad8e20e17d184
SHA2562109ec743ccf74e4d98b41fb9578eea8c7cd6166af779559345f97c981a14163
SHA512fdfa76fa794b6e2c6977c06fa48465a380718acb360b63ee9a2bae61a1b686b59226fb7b88037f3a17037694a7ae7b07fd52dd6dfd807543df55a6e92fd448e3