Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
Resource
win10v2004-20241007-en
General
-
Target
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
-
Size
2.6MB
-
MD5
440692a91aee96bf3b79e09fa4da0d30
-
SHA1
8660fb96cf47c02ed8e1983ab0447038b2e59672
-
SHA256
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82c
-
SHA512
dd475e0dd97f83e44e40c3319211ff5ed5f9dd60832780e2c40d06651c83c157d3ce12c9643e1b0ac9b23e81569c6e3ce664f4bfba250e25e7073548e8791509
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUp7b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe -
Executes dropped EXE 2 IoCs
pid Process 4732 sysabod.exe 1636 devbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4X\\bodaec.exe" 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1W\\devbodsys.exe" 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe 4732 sysabod.exe 4732 sysabod.exe 1636 devbodsys.exe 1636 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4732 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 86 PID 4916 wrote to memory of 4732 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 86 PID 4916 wrote to memory of 4732 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 86 PID 4916 wrote to memory of 1636 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 89 PID 4916 wrote to memory of 1636 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 89 PID 4916 wrote to memory of 1636 4916 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe"C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4732
-
-
C:\SysDrv1W\devbodsys.exeC:\SysDrv1W\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5018dcab8d557a20af82ff5ea0b11f3d2
SHA152738cfe4af5d7934f685d6c6b5b7484462f0ce8
SHA256450ddd597c58031d81db828d892b90dfb60cf71e7f8efea90b37f970e550f0c4
SHA512d7544bbe34be2026d967f03414d1223435d4559175b87acc97958f1aa9a7ab0f6e9b19a9ea6f13918c9a69d1786dd5eee911926fcea488d395e03003cd3bef7c
-
Filesize
201B
MD588fadbdea1624191332633fa35c07471
SHA1ed234ca19d8c07353776cf3600a7fa711cd4c0ea
SHA256ba896d1827e67a42fa04c071f68d2988e5a5233e820a0f3e53704a8215bdebd6
SHA5126fa1f33433f3d8b1635443024abf86e090b4187423bb4638c75e35bbd4467645beb7f5ca5d79564b7d14a8bde5a4dcf4c6327de03fd7a871966dd674338b5fce
-
Filesize
169B
MD569dcf24d1afc23943f92da1e80600f8c
SHA1b408f5f006c3f12eee41be71fbf734f7d11436eb
SHA256e25d029d444c209f89f7f3f602b411efd9b9aacee68652421f2f46b887dcbe0d
SHA5127430aaa6b0325e49f198bc45847f3bf22709ee9ac82d8d3e190912080445beebd5258a7f81618543e6009bd2b2ef7de0436335e1d70d383250a35b5f18babeee
-
Filesize
2.6MB
MD58cb8c34cbbbf40eeee260c66321a2979
SHA16fe96734af91e5345b09a266eb332ca09be40a60
SHA256e4dcba355b460af9a72bee3fb45ce0c40ae3168e48b93c21b614ecdf06aa27cb
SHA51264f8b9f493db7cdfabf8302620f694e89a93e7bd98c2e749ea1215eaab63ad3b24c65be07062c391a4381b132a65f2a0d27e0a42f387992a5e53b530245cb210
-
Filesize
2.6MB
MD57d9898c95cc4fb1394cc1f0f4e937181
SHA11b3b4762015c51dc9ea93eab626066722c97f003
SHA256323570568b9b8ad5541b2179a08130a3db5b191854b647880763909f0a79e5c3
SHA512f132cbe718beb76d12684dbc7afb2a876bbde653190c0b11735aed182b7a00d09104050fde5bbd5afb64bb2f7cbf7c5c230a5a77fad70f2b5e84d3af6f6a1ef3
-
Filesize
6KB
MD5c8190a91500bb1d9caa61e3b11eaf128
SHA1ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684
SHA2566396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e
SHA512bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b