Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:36
Static task
static1
Behavioral task
behavioral1
Sample
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
Resource
win10v2004-20241007-en
General
-
Target
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
-
Size
2.6MB
-
MD5
cbd0bf2ceb1e66b901c9a5e53b9c830b
-
SHA1
7982722543a8118da5f1d313a3b09a429e428834
-
SHA256
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899
-
SHA512
8fed557f28860f87fc058dde07da8eedacceebb1d63fb131d0e5fc2487444ea3124eddd1bdc1bfadcf7f8614d35969171b851151bcd04264086e5c2a6473409d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUp+b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe -
Executes dropped EXE 2 IoCs
pid Process 2844 ecdevbod.exe 2808 devdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXH\\devdobsys.exe" 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ91\\bodasys.exe" 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe 2844 ecdevbod.exe 2808 devdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2844 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 30 PID 2272 wrote to memory of 2844 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 30 PID 2272 wrote to memory of 2844 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 30 PID 2272 wrote to memory of 2844 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 30 PID 2272 wrote to memory of 2808 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 31 PID 2272 wrote to memory of 2808 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 31 PID 2272 wrote to memory of 2808 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 31 PID 2272 wrote to memory of 2808 2272 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe"C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
C:\SysDrvXH\devdobsys.exeC:\SysDrvXH\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f3acf8941da0bff6b5a64be294b37bdd
SHA175ecf8def1aadc6d618845d81ae32af1745d359a
SHA256c54bda6c5cf5e41fc069d80b4af34f422547754ab2676138a95bee12e048cc3d
SHA51251cd50fddf48f794b8b46678c5a858bbc0cdec328383197c050ca4b6400a503e577c1c2227924ab8c0d290cc7f4e4600121cb21b81f40f5c17e7bd1ff8c7c36f
-
Filesize
2.6MB
MD5d222fdf0b113e098045cbb9c41e41c66
SHA1f80a93bb8f203635696e40cb19c690691386cdfd
SHA2566b2d49d61a5f4cb353f4dd8d33943ba604d2aa7bda7a14714cf89a1d0e29ff1f
SHA512552a1eb1ebd6076a331bb8d02d26e86723e728538d6e4d6d47db610940f146e7c62702fe89eb557733566932424d5c6a8efd52cdc6f8107e29e8db5ecdc110a0
-
Filesize
2.6MB
MD56455c86524711e98824fb660aaf96d6f
SHA1385c9bfb3400431f9cd9bfff33064972164e3c7c
SHA25616ef96d2b7587c8f120dabb7fcc82ac93370e6c3d13c95f195d222eebb9de0bc
SHA51291e29070926ef070497fa404b1a5a959ffc1cf0ebf7fcc167820ab0148b989cce061ace17369faa0cc43e4a4aacf77d5ec363d01e6ec7ebac63916ea06833a4d
-
Filesize
172B
MD5d88b9ae6778408d5b813c858be0b6970
SHA113d4f0a4c7775bf6729a4f86e9dcd4dc03ef16bf
SHA2562245c1c5104b2055b66f516b7727936e02ec64a8077259d3243dbb92245cd449
SHA512ceaf7eed1d1ca6703468adebb5249e4b698afc47ec4fd8184d3601edec52869d4775b2065816dab1bd35b4d6cfa3eea4291f58aa54e971957b45a8cd23090037
-
Filesize
204B
MD5a2e4944d70d595f6a91775efe251da66
SHA11d592db07ed7aaff222c5805563beb6a0a7ec13d
SHA2563c3f91a9307c3a46c408f7914f789bd7b4c58a0c2ef9d65ebd72c255c605d822
SHA512aa195039f33e0be44107eb4cad795516f26084056498fc463acf92fa09ef8db1b6c834fa430c170da7b4f5c9ee9aa7b3334a9c8b59ab0fe8da4faed4b11608bc
-
Filesize
2.6MB
MD50f62a54e5b1b05bbbfefee77a6b1f6c4
SHA1e67c637dec0f5142bf776346a014c240b552d1a6
SHA256afef405b88d2f5b5104f40f1ede24c8d63fc53738a42a0932ef6427c7c9dc302
SHA51275ef291474aa9b8ec07a104fdd038c6e42b60e12ee3286535db3683ab79abd3f869dc8a9c97fc1a358c48bed1451b924cb711f1d50405ad70e73dffda277182d