Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe
Resource
win10v2004-20241007-en
General
-
Target
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe
-
Size
2.6MB
-
MD5
dbc6434b88a8b9017cbc55b7b680ef0a
-
SHA1
52ccdd946bd863524595743beccdfed48e23ae7b
-
SHA256
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a
-
SHA512
abe0d9e057fb415fb91c2006878b2ffba5ebc63ea0d192beaab5b7b03c2079e69564c000d34c25a2e8fee3fb5fee16bf2992523aae8f570f1ab8eedb662ea8cc
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUp3b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe -
Executes dropped EXE 2 IoCs
pid Process 3740 sysdevdob.exe 1356 xbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDH\\xbodsys.exe" 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPS\\optixec.exe" 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe 3740 sysdevdob.exe 3740 sysdevdob.exe 1356 xbodsys.exe 1356 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4196 wrote to memory of 3740 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 86 PID 4196 wrote to memory of 3740 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 86 PID 4196 wrote to memory of 3740 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 86 PID 4196 wrote to memory of 1356 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 90 PID 4196 wrote to memory of 1356 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 90 PID 4196 wrote to memory of 1356 4196 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe"C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3740
-
-
C:\SysDrvDH\xbodsys.exeC:\SysDrvDH\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5a3600ce8427c98f5fc702a3163c07f3b
SHA10df27f879782698f166729ab9ac31f9902b34248
SHA256abfd8f401d2e22e50872e86bf294f1c14de28da7366c17b1998f366a4a2ec7b5
SHA51284f2b4fad2142ab5cc5a21760100c7ae820635facd32556924efb57416a3e99aea64da3e42352cacf6d64791bfb5618dc9a408d76e622c7831580c3bbb41a18e
-
Filesize
2.6MB
MD5b43b0f1709ecb7510311cea79657ac6c
SHA1c15b037e0cf71b48820c4fe0b208c604587b3695
SHA256fafbc4e852abd584f6d4817058ae8cc77cf07373969e0d1521786f1877bd1535
SHA512a218c25f4bc48b44770ace08321c774657d1eb4676e0e70bf74882da6103ffb66e3e53d3a604f5a4b83f4c8cfc0a71a0012a93cf2d1bc479a755c92db2611b58
-
Filesize
251KB
MD528f0ed0287aec4e9cc2ae10e181bd3dc
SHA1ca6df11b2bba9bf7d9d5488564b9672f61e06a20
SHA256bb8b5bc6f61a61f94ee159453d19270ff84e6951c8784abbfb1b5ad6f980f0ca
SHA512c87e91dfc11ea9bac3f06c4451dfdfe0972efacf30ffdacf8eb93fcbaccadd467c0802f8c2df61bb0ad76142147860acf795b489c50283f50a9cbe34cf5c03da
-
Filesize
2.6MB
MD5ddcc6359b12d921aa18ba5a05cba02fc
SHA1889532262949ee84974b896d0c931d4253a6691c
SHA256ccb943d0eb73ca66df8dd8a31540d151800acfe79cae074282a1b84c35b3ddcc
SHA5125c0bf6694ddfbd89f181677765e5353fd77f23bbcfe7e0e26b8a1af0e67197bf964ebf5eff5ccd420786883783f46fe104bf241e69e302e43843ee3994c53f7c
-
Filesize
203B
MD5af3b37676ce2dddae6e7fc0db4ad005c
SHA129ae69d1163078aac687d5aef88c130c70a681e8
SHA256fbba108e73b5cf93d02b3c13ffd955cba8642f1f4687f8f084ddda2d5eb33cf0
SHA512d2f219fd727e4cc3efda7339364f1661e3e69a015caa19d2456cb65235798c4d08b00d1034f5a4e44002a0137e0a5be1e7ae0d49f62c297434b938bf92dd5589
-
Filesize
171B
MD5d21bffc757f7f363fbe447c4bfd29a87
SHA18581dce6a5d9b4692b6f804765af491a0e8b0fd4
SHA2560a6bfef6bad1a072634e2ed0dc939943aec103ab1d80496a23664576b2b878b2
SHA5124d6be58f6e1ea4cff60d504f561adc33455449830180747d28e92a93bc370e12c8cb1d905aa29f07285e46c9b3196bd9ef0c3751a9a153c7fcbfc31f51935d50
-
Filesize
2.6MB
MD5ad5570fe4eceffd36b721e261694a306
SHA1740ff3f3a24bf898b4e409f7b0a1bb457e7ee217
SHA256f8e9672dd165d7676f0904c83c329ad8d3b873996ac509f80d8b54d29ef1301d
SHA5124fc7e8056ebb47b1191f1363e1270e8323867d7d9ac56b3a14cdaa51606e716e0d540f7a717e8017c00034adb80f278ddb1485291433f24351c0cea2e6d65f6a