Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:58
Static task
static1
Behavioral task
behavioral1
Sample
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
Resource
win10v2004-20241007-en
General
-
Target
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
-
Size
2.6MB
-
MD5
5aca2c1a262bdf9ddd1d1406af5f0c40
-
SHA1
a33af90e123e64ae31624c0337d80a6f20bb3171
-
SHA256
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7
-
SHA512
b483cdc3844af019757b285d5aabacbf41d36d790cf0d85a841d3c5cb44c5bea781481c585a0e1b3ec3cebf51d2d2b1fe670877cd8806e8f48cc0c1d335582b2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpgb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe -
Executes dropped EXE 2 IoCs
pid Process 5100 sysdevdob.exe 4816 abodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNA\\bodaloc.exe" 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0T\\abodec.exe" 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe 5100 sysdevdob.exe 5100 sysdevdob.exe 4816 abodec.exe 4816 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3200 wrote to memory of 5100 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 89 PID 3200 wrote to memory of 5100 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 89 PID 3200 wrote to memory of 5100 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 89 PID 3200 wrote to memory of 4816 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 90 PID 3200 wrote to memory of 4816 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 90 PID 3200 wrote to memory of 4816 3200 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe"C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
-
C:\Files0T\abodec.exeC:\Files0T\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD55a87572878dabd3652e734e9cf855065
SHA1c5680884425386174908e45b82e8774e388790fe
SHA2560d93615a7a3146141faa27413b9e8d8b65a6ab474987576feb52ef3124e82ddc
SHA512e3ae89e995b510989fdbbc77110650db648ae4c1bae911c98b4f146db762f2f954193a55f320761cf613f9a5662a32c7514cf26ad07038b1efe753633a3c1791
-
Filesize
2.6MB
MD5e254de7a8046bf0909f4d57623d8ca2c
SHA1f6d564dd9da7996920b95bbab4713918cd2d46fa
SHA2560799b6dbc934091aff5fc36e272783773bf7d64300f90675f9e29104c4f7707c
SHA5121cad29284ea80073d655c396e0bfc4e620203c91c6acf99ba3d02696c8da0d1b807f176e2a975a830a92f126ab122766e9905d8054d876fdb3802d4522373bfd
-
Filesize
175KB
MD545fe14f76839e9486445fd54713736b6
SHA1bd546833fac1af06f2d752ff8daacb898316a121
SHA2560415455288f159e32b3190fef979546d56da9fe3cd7a593a07e3275989da3a9d
SHA512d3c49ad36c5ee3a8cbcda62ad01fc5576c602a3923d42d73a80af4ce6c9a4f4b62646923b11f40d50cd85d83ee3973dda825a51fb1ad84c2c7ecfee6106c8000
-
Filesize
296KB
MD5804af8f9cebf35646d8dfc9422112844
SHA1e4a46592b2e5734f5f48b931e94cddb8e096703d
SHA256a69f2713b681b2dba2797156f8280c9986ed2cdd480bdd968ee948a490dfb7db
SHA512b163c77178a8103448ab6e34b89a90b5c3dbbb365baa5025f3fd9e7582b3fa49aec1be96d165102a8b219c6de8c05fcace73af33c4c9080e0ec7fbfc758cbe68
-
Filesize
201B
MD5b76054aa8228bb20620cace6d8d39509
SHA13c1b7967356dd998c7831032cc3a74f7b2a489b4
SHA256c94991e43dc24b17e254d862515463d519ef8a6c9f9de896a3acdb943db90133
SHA5121813a8dd3b6879cebd2e453b88c7141d41359922f3f2ceca836e5b24cccb1c4597a981682e7c78be5277a91f731e55930ad21b9bdf321747cd72ec768881f922
-
Filesize
169B
MD5d815b323e1939c4e4c92141f12982a0e
SHA19448b2e2ce3a3b2e80da2d6abdbcbe1fc0c6deea
SHA2568eb99c21d5745e43665c4849da6bf57dc31517e2dcc6670dc41c95cb4a6708fa
SHA5126dd5eb959b929788f55d153e2b7eccdf88ac4632703a914cea79cb0237ce188bfaad6436dde2b08f476e9609f2472894f476426519655887bd92991e4ca67305
-
Filesize
2.6MB
MD51ba85a904228378cdc9d3c870dc437c2
SHA1e6083268837960564ee4adb3f8d2e4aa35a3324f
SHA256150ca3365c989f1a6dab168bc9db19479dae4880d5528a17bfd5986aeb738cd2
SHA512c0f167f5da28b3899752026ab06c586434be5d6d41c6d859355adb798cf12662f8bf405c26ecb3754f35d6c515e51f5994bde5c96c70f126350dc9f5937733f6