Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:05

General

  • Target

    c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe

  • Size

    2.6MB

  • MD5

    9f0b34d341fca709b940188f7317ed70

  • SHA1

    e48250b68b58d5604d4c715b41b768a570b5bd4c

  • SHA256

    c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8

  • SHA512

    d8ef9ae955dbafb2c31f2a801ced2c31136b206f6e11790ee18e1375203f0701582a194b9e70b434cca9bd795f67c42614daf81edcf3fc5f21ded9d6bc7ece3c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpBb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
    "C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2924
    • C:\IntelprocTC\xdobsys.exe
      C:\IntelprocTC\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1592

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocTC\xdobsys.exe

          Filesize

          6KB

          MD5

          b646265f07f9f16a9eedf6d5027f9e3c

          SHA1

          a47300f0e83643f499e1b7c1be83a375a1293ac7

          SHA256

          d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025

          SHA512

          403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67

        • C:\MintHP\boddevsys.exe

          Filesize

          52KB

          MD5

          07100e6afe75408088a5457936386f8b

          SHA1

          fe350bdc37425df601af04408696b6ef20d3c45c

          SHA256

          fd8fe7e928d18bf37ad205e934553a9b3b68a489d8e81df0742ba0c4b35db556

          SHA512

          49b6d539acdc384c9b7e8917197daa1f1756f417322ff3a36de44712573ad10d314053030338c1f685d2710f8a085fc649ba9f342f81175b0b09286501388148

        • C:\MintHP\boddevsys.exe

          Filesize

          2.6MB

          MD5

          253ae397d796d1d76402f504fc720585

          SHA1

          d50454173ab839e203d3327a3ccf354f781574ef

          SHA256

          f67f659638993deb69d02f5df9c77fc916afb510b918762be1e42e310b035b56

          SHA512

          643ad63de936c4a97ab0ab96fd480b5e867e26835d5765d5b02e13cf7a87a9aecbd5dd028afd00414f4c75c86ec7a68052a4ad0086c6423bec24491cbfada5af

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          176B

          MD5

          7422085b6e20515cfc9f991a3fda908f

          SHA1

          973fb40e233bed80be0443419bb0620e0af24aba

          SHA256

          4e2d3cf3dddd1157884873f42a91fa37c0e379b5d9408baf03bb6f06cdf24454

          SHA512

          1b188bd2cacc2afe2ef0581062269dca815cdd8cd3f0b0590a2d01ba5d2cc5336937da5139da233e5834251004a36f01af5b3fda61893807aec4bd2bcbf81eaa

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          208B

          MD5

          3cf89be7627b4e7f785f207797a01cd0

          SHA1

          c907ca41150126403461c9acd8c00583fda2922a

          SHA256

          6901e611bb1f8ebd814233c1bd63949a0bda75f205c933f077b446c56e39be8a

          SHA512

          71fd92b3d680a7c7b8e3850c3d9adec4d0dc17712c873c03ff22deec5003af5cfe137eef051c8a11d2ffc3ab52705d763ec11d398ed48f4d7dc826a8ac5ff6ba

        • \IntelprocTC\xdobsys.exe

          Filesize

          2.6MB

          MD5

          5d64995f4f17ae396bff6eeaca08f815

          SHA1

          07a6a9740a033af352243e01cca3b605f7c9bb5f

          SHA256

          e663391a828db42af5b519a040789c22d8038d87774b27dca6ac01d15a50548e

          SHA512

          179b223b7cacb9ea78f2b13a09edda7fcf989a60414a1e0c67a56fd41e39c7e09d2eed142fa8ab889e227cc05dcaee91fca1727f76590310a60712c0f7082f6e

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          2e33fc6acf0e5c293e401ff1b6d2ebae

          SHA1

          7cc426a5924446823e40469dfe5d7e36dd82c393

          SHA256

          939cb63901e2a431f661790a0cc7014ebe9c2e44ee7f25d2d466fc9d4abbae05

          SHA512

          7dfdde2b4c0f0ac3bdafd727cf762c2295d7b8420724a2422833c2cba0a6be0dced89bc3e50f637dbbbb9ee477361851616a46b1b162c1e5ebb28590ca521121