Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:36

General

  • Target

    714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe

  • Size

    2.6MB

  • MD5

    cbd0bf2ceb1e66b901c9a5e53b9c830b

  • SHA1

    7982722543a8118da5f1d313a3b09a429e428834

  • SHA256

    714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899

  • SHA512

    8fed557f28860f87fc058dde07da8eedacceebb1d63fb131d0e5fc2487444ea3124eddd1bdc1bfadcf7f8614d35969171b851151bcd04264086e5c2a6473409d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUp+b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
    "C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2844
    • C:\SysDrvXH\devdobsys.exe
      C:\SysDrvXH\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2808

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ91\bodasys.exe

          Filesize

          2.6MB

          MD5

          f3acf8941da0bff6b5a64be294b37bdd

          SHA1

          75ecf8def1aadc6d618845d81ae32af1745d359a

          SHA256

          c54bda6c5cf5e41fc069d80b4af34f422547754ab2676138a95bee12e048cc3d

          SHA512

          51cd50fddf48f794b8b46678c5a858bbc0cdec328383197c050ca4b6400a503e577c1c2227924ab8c0d290cc7f4e4600121cb21b81f40f5c17e7bd1ff8c7c36f

        • C:\LabZ91\bodasys.exe

          Filesize

          2.6MB

          MD5

          d222fdf0b113e098045cbb9c41e41c66

          SHA1

          f80a93bb8f203635696e40cb19c690691386cdfd

          SHA256

          6b2d49d61a5f4cb353f4dd8d33943ba604d2aa7bda7a14714cf89a1d0e29ff1f

          SHA512

          552a1eb1ebd6076a331bb8d02d26e86723e728538d6e4d6d47db610940f146e7c62702fe89eb557733566932424d5c6a8efd52cdc6f8107e29e8db5ecdc110a0

        • C:\SysDrvXH\devdobsys.exe

          Filesize

          2.6MB

          MD5

          6455c86524711e98824fb660aaf96d6f

          SHA1

          385c9bfb3400431f9cd9bfff33064972164e3c7c

          SHA256

          16ef96d2b7587c8f120dabb7fcc82ac93370e6c3d13c95f195d222eebb9de0bc

          SHA512

          91e29070926ef070497fa404b1a5a959ffc1cf0ebf7fcc167820ab0148b989cce061ace17369faa0cc43e4a4aacf77d5ec363d01e6ec7ebac63916ea06833a4d

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          d88b9ae6778408d5b813c858be0b6970

          SHA1

          13d4f0a4c7775bf6729a4f86e9dcd4dc03ef16bf

          SHA256

          2245c1c5104b2055b66f516b7727936e02ec64a8077259d3243dbb92245cd449

          SHA512

          ceaf7eed1d1ca6703468adebb5249e4b698afc47ec4fd8184d3601edec52869d4775b2065816dab1bd35b4d6cfa3eea4291f58aa54e971957b45a8cd23090037

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          a2e4944d70d595f6a91775efe251da66

          SHA1

          1d592db07ed7aaff222c5805563beb6a0a7ec13d

          SHA256

          3c3f91a9307c3a46c408f7914f789bd7b4c58a0c2ef9d65ebd72c255c605d822

          SHA512

          aa195039f33e0be44107eb4cad795516f26084056498fc463acf92fa09ef8db1b6c834fa430c170da7b4f5c9ee9aa7b3334a9c8b59ab0fe8da4faed4b11608bc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          0f62a54e5b1b05bbbfefee77a6b1f6c4

          SHA1

          e67c637dec0f5142bf776346a014c240b552d1a6

          SHA256

          afef405b88d2f5b5104f40f1ede24c8d63fc53738a42a0932ef6427c7c9dc302

          SHA512

          75ef291474aa9b8ec07a104fdd038c6e42b60e12ee3286535db3683ab79abd3f869dc8a9c97fc1a358c48bed1451b924cb711f1d50405ad70e73dffda277182d