Analysis
-
max time kernel
119s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
Resource
win10v2004-20241007-en
General
-
Target
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
-
Size
2.6MB
-
MD5
d2808e3373c56fd1aabd501b37bc4fd9
-
SHA1
5a4486f26e2c3bc11f9f7ec9e8a7e48adb94f354
-
SHA256
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e
-
SHA512
db891ab58cf24b596c68260c65b72b57a54122a0cd00dba892be7b30aab550c3531837486738cf0874dc2408951bf91daeb257556c87a4c4face7c83035177e2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSS:sxX7QnxrloE5dpUp0bF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe -
Executes dropped EXE 2 IoCs
pid Process 720 sysdevdob.exe 1288 devbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5I\\devbodloc.exe" e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHL\\boddevloc.exe" e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe 720 sysdevdob.exe 720 sysdevdob.exe 1288 devbodloc.exe 1288 devbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4852 wrote to memory of 720 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 87 PID 4852 wrote to memory of 720 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 87 PID 4852 wrote to memory of 720 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 87 PID 4852 wrote to memory of 1288 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 90 PID 4852 wrote to memory of 1288 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 90 PID 4852 wrote to memory of 1288 4852 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe"C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:720
-
-
C:\Intelproc5I\devbodloc.exeC:\Intelproc5I\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c016eacd9f7efcc81cc2e06fdd68832e
SHA14b7bb6a1abd2e5feef71e2f826edcadd0038a216
SHA256b2359177b7252f962a1d6bd661698650993336671be4e388fbe98d085198772f
SHA51208096d6d24ce0a1bc78521b99e303acd041c02fc1acb713568c4c709f152bfc02db50c00e905b8685164d5cabf0ed62e220703533ac24681ac9b10fdcb741903
-
Filesize
2.6MB
MD581ebde19c896359c206e126fa279a668
SHA1ec28525745c60b4ea0f17b8833b4117661363384
SHA2567160fcaf6cc49f2381c3ca8353d227b30af7301c7a1fba12439e00f79c00f793
SHA512cb77635ca197e10f309253a787411a293a8d990cd1a151981c1cd7417c425f84e4c953c68fcfcf619de3b1dd108a9aaea04d62197309681b1a6b9571b1117d83
-
Filesize
1.6MB
MD5f5699417138f0bbbc205c2393ec6f821
SHA11e9d3e24ffd8de764c2ba9bd32921ebbe49976e4
SHA256436c233dec54df9067c1273e2e801421d82274aad95a1e8f630d044c4b067826
SHA5120db53eda99c647aa262927be74e93cdbeefe56fae4d48a5ccdf6d4d154a16deeb107d5cbdbc5b1f446f66d40ea96deabfb6de691453b4fb1c97991dbc043622e
-
Filesize
210B
MD5562627ca62c84233c97f80c678134eb7
SHA178ff0b5ed59955353a695df9f52c8f9723f0de58
SHA2562864e6d5dc2039dc8918ae4eb27bcb6b10c426f62b65c7113de9bd9ce9252d28
SHA512bc5e4153845dc7f2131168d9554375fcdd7df274ce49e88d17e1bae5129638d815d94d437fd620f6abd66bda93c2b8ddc002c2d6e7f89f677e7ef6cba6a6d904
-
Filesize
178B
MD56688fa3c248d848db48bb84557f1900c
SHA1bb5c70b6ccec7f9e955cf868403e3e0e18920432
SHA2568933f2ee439a1cb502f164d766f4c8b305aaee57b41bfb7010824d22c02c6e36
SHA51230451cf231022fef85a51ca10ff3dd8f5c706bb341c406fd1421d756e4aa65dcbca3abf5415593fab78d47341193ec1344268fb28391581f43242befffbdead8
-
Filesize
2.6MB
MD5a9e1c415712e45052d07331c420e0f6d
SHA1efe992394fc9e7e683b78b365cd564434286c691
SHA2560cb33540da0bb3c25fa40ce058d82ed1a2cf1b9d664ad7bc5d3d24f653f6ab93
SHA5123b03bb1d43eee0e8534c580a9a89a79a4451f99c23f9237a028855cd68a4b0df24dfd910e98b93fa521b58a8d977ee24fdadcf1ef3b507b760946c7a154731dd