Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
Resource
win10v2004-20241007-en
General
-
Target
7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
-
Size
2.6MB
-
MD5
04a1537d62800d2cba94e14ced5665f5
-
SHA1
02a4c88b2de8e63189b08950e4c9ba4a6f8b75b3
-
SHA256
9a31ec079f9330ff7ddf0422629886da291a0eb802c11a33099e00a5766221b1
-
SHA512
3f365007e6e73892140da601a659e2b42fa10daa60eb322bc972efab349bb0cdefd1b8c5134b62cf7546e25c0c3ee237e67ee71456d5dea4a5fb9ab3da7e60f3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSL:sxX7QnxrloE5dpUpvbQ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe -
Executes dropped EXE 2 IoCs
pid Process 1884 ecdevdob.exe 1784 devbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX9\\devbodec.exe" 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidND\\bodasys.exe" 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe 1884 ecdevdob.exe 1784 devbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2860 wrote to memory of 1884 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 30 PID 2860 wrote to memory of 1884 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 30 PID 2860 wrote to memory of 1884 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 30 PID 2860 wrote to memory of 1884 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 30 PID 2860 wrote to memory of 1784 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 31 PID 2860 wrote to memory of 1784 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 31 PID 2860 wrote to memory of 1784 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 31 PID 2860 wrote to memory of 1784 2860 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe"C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1884
-
-
C:\UserDotX9\devbodec.exeC:\UserDotX9\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD561b773990ee27e9e908970e63b267f79
SHA1522f4b8bd8207fe759634142fdb72607b71380f4
SHA2568680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d
SHA5126a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e
-
Filesize
171B
MD5510a365a67291b85e3824c8e62fa574d
SHA1f20ecda34a2d51b223546c34359c018e6e613c20
SHA256bdd57dda22fe7bf16673edb5f820aecf97656b748295cc587d43d2d5307b8304
SHA512ae5ef1fc4a5725e2e265a81bc9d57e0b41ab0654907a386ec2a32f799dabbf32d97ef6baad2f66388cebcb503b2f6acc3c6408c97a66336fcfa63c92048a697e
-
Filesize
203B
MD588a6a9490ab7d86262f37870f627f1e0
SHA102cb4617a8dbee4162c1bfb07830a383e4e80c8c
SHA256a642addacd2b647a2917efc2b9fdae4c2ba93a619b5ab4c0d67fb9b82978c8aa
SHA51244e6d336e6fc98edc50e1d73a073473a29a57944f331b3b7242f655cb6adc0dd77529097972e1b2706242a6fcd7ebf0991e0192ea692dad595b1536f775facca
-
Filesize
2.6MB
MD566d955acf067bad35225231bcdcbe0a5
SHA164807b0b5af24aff572878ae94902c1c37a1e3bb
SHA2567263360a18c6bbe64ee48ed0413d9cecb1f859ab68a414e37284fb3bbe44c575
SHA5127e89b2371d637a68e27b182b8dc501c580a6f9de8ea6e92ce157d7dbcf53f5aeb57f8531ab34f336ee9ce59fe0e1ec4552c683b0861d4026855d98dea65cdd92
-
Filesize
2.6MB
MD5cbafd637d7eae1157846863c8a8c4067
SHA14e2a030cd1e33f32c8a06abcaf0567562e778268
SHA256ef70d114bbf565fac16330699adb55e1c36fc7f8f6c178e02cc968545d0051a1
SHA5123a772bea948e46c94704ec708f878f73b4d1664ebd44e7e6b065d5158ce6a7fe53d86992a4da2ad3e65e2ae88a950f02ee8afccbc8d748846f58dd27e7d8fab1
-
Filesize
2.6MB
MD569fae0f5168b279dc99e205aa07bd1b9
SHA14499b872ad386ab003b60e24b0cc54c359a9f8bd
SHA256937aafa864a142dba445da0ba21a8f3bc451c002c4a73a8b0f55a3f860869475
SHA512487474095b87b7d29095dd94ff2916191f71ecde5d6040fa800f30df2959c182792e405ad5f9ab964b80886a2356e8d0c74c6a9e602aaa9e86a43508eca47f33
-
Filesize
2.6MB
MD531b2239cd3e253bf9a0222c258d7a15d
SHA1a5d718b31fe4dd5e1258e7e4257f61a3149d7f3b
SHA256640ab584e19287e8722e6fc446c99fc9df61bbcb41f56d26b8b73c50b8f146a2
SHA51220505087879a8a4c6837365ad4cf00f5a6dfad6db3ca4b42ccd0f0adfeb385749fe9547dd20ad1c62a5ce730923816569fa9515b4d39164bbeee51bd4a8650d2