Analysis

  • max time kernel
    120s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:36

General

  • Target

    6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe

  • Size

    2.6MB

  • MD5

    440692a91aee96bf3b79e09fa4da0d30

  • SHA1

    8660fb96cf47c02ed8e1983ab0447038b2e59672

  • SHA256

    6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82c

  • SHA512

    dd475e0dd97f83e44e40c3319211ff5ed5f9dd60832780e2c40d06651c83c157d3ce12c9643e1b0ac9b23e81569c6e3ce664f4bfba250e25e7073548e8791509

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUp7b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
    "C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4732
    • C:\SysDrv1W\devbodsys.exe
      C:\SysDrv1W\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1636

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrv1W\devbodsys.exe

          Filesize

          2.6MB

          MD5

          018dcab8d557a20af82ff5ea0b11f3d2

          SHA1

          52738cfe4af5d7934f685d6c6b5b7484462f0ce8

          SHA256

          450ddd597c58031d81db828d892b90dfb60cf71e7f8efea90b37f970e550f0c4

          SHA512

          d7544bbe34be2026d967f03414d1223435d4559175b87acc97958f1aa9a7ab0f6e9b19a9ea6f13918c9a69d1786dd5eee911926fcea488d395e03003cd3bef7c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          88fadbdea1624191332633fa35c07471

          SHA1

          ed234ca19d8c07353776cf3600a7fa711cd4c0ea

          SHA256

          ba896d1827e67a42fa04c071f68d2988e5a5233e820a0f3e53704a8215bdebd6

          SHA512

          6fa1f33433f3d8b1635443024abf86e090b4187423bb4638c75e35bbd4467645beb7f5ca5d79564b7d14a8bde5a4dcf4c6327de03fd7a871966dd674338b5fce

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          69dcf24d1afc23943f92da1e80600f8c

          SHA1

          b408f5f006c3f12eee41be71fbf734f7d11436eb

          SHA256

          e25d029d444c209f89f7f3f602b411efd9b9aacee68652421f2f46b887dcbe0d

          SHA512

          7430aaa6b0325e49f198bc45847f3bf22709ee9ac82d8d3e190912080445beebd5258a7f81618543e6009bd2b2ef7de0436335e1d70d383250a35b5f18babeee

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          8cb8c34cbbbf40eeee260c66321a2979

          SHA1

          6fe96734af91e5345b09a266eb332ca09be40a60

          SHA256

          e4dcba355b460af9a72bee3fb45ce0c40ae3168e48b93c21b614ecdf06aa27cb

          SHA512

          64f8b9f493db7cdfabf8302620f694e89a93e7bd98c2e749ea1215eaab63ad3b24c65be07062c391a4381b132a65f2a0d27e0a42f387992a5e53b530245cb210

        • C:\Vid4X\bodaec.exe

          Filesize

          2.6MB

          MD5

          7d9898c95cc4fb1394cc1f0f4e937181

          SHA1

          1b3b4762015c51dc9ea93eab626066722c97f003

          SHA256

          323570568b9b8ad5541b2179a08130a3db5b191854b647880763909f0a79e5c3

          SHA512

          f132cbe718beb76d12684dbc7afb2a876bbde653190c0b11735aed182b7a00d09104050fde5bbd5afb64bb2f7cbf7c5c230a5a77fad70f2b5e84d3af6f6a1ef3

        • C:\Vid4X\bodaec.exe

          Filesize

          6KB

          MD5

          c8190a91500bb1d9caa61e3b11eaf128

          SHA1

          ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

          SHA256

          6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

          SHA512

          bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b