Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:05
Static task
static1
Behavioral task
behavioral1
Sample
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
Resource
win10v2004-20241007-en
General
-
Target
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
-
Size
2.6MB
-
MD5
9f0b34d341fca709b940188f7317ed70
-
SHA1
e48250b68b58d5604d4c715b41b768a570b5bd4c
-
SHA256
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8
-
SHA512
d8ef9ae955dbafb2c31f2a801ced2c31136b206f6e11790ee18e1375203f0701582a194b9e70b434cca9bd795f67c42614daf81edcf3fc5f21ded9d6bc7ece3c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpBb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe -
Executes dropped EXE 2 IoCs
pid Process 2924 sysdevdob.exe 1592 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTC\\xdobsys.exe" c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHP\\boddevsys.exe" c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe 2924 sysdevdob.exe 1592 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2924 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 31 PID 2248 wrote to memory of 2924 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 31 PID 2248 wrote to memory of 2924 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 31 PID 2248 wrote to memory of 2924 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 31 PID 2248 wrote to memory of 1592 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 32 PID 2248 wrote to memory of 1592 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 32 PID 2248 wrote to memory of 1592 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 32 PID 2248 wrote to memory of 1592 2248 c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe"C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2924
-
-
C:\IntelprocTC\xdobsys.exeC:\IntelprocTC\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5b646265f07f9f16a9eedf6d5027f9e3c
SHA1a47300f0e83643f499e1b7c1be83a375a1293ac7
SHA256d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025
SHA512403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67
-
Filesize
52KB
MD507100e6afe75408088a5457936386f8b
SHA1fe350bdc37425df601af04408696b6ef20d3c45c
SHA256fd8fe7e928d18bf37ad205e934553a9b3b68a489d8e81df0742ba0c4b35db556
SHA51249b6d539acdc384c9b7e8917197daa1f1756f417322ff3a36de44712573ad10d314053030338c1f685d2710f8a085fc649ba9f342f81175b0b09286501388148
-
Filesize
2.6MB
MD5253ae397d796d1d76402f504fc720585
SHA1d50454173ab839e203d3327a3ccf354f781574ef
SHA256f67f659638993deb69d02f5df9c77fc916afb510b918762be1e42e310b035b56
SHA512643ad63de936c4a97ab0ab96fd480b5e867e26835d5765d5b02e13cf7a87a9aecbd5dd028afd00414f4c75c86ec7a68052a4ad0086c6423bec24491cbfada5af
-
Filesize
176B
MD57422085b6e20515cfc9f991a3fda908f
SHA1973fb40e233bed80be0443419bb0620e0af24aba
SHA2564e2d3cf3dddd1157884873f42a91fa37c0e379b5d9408baf03bb6f06cdf24454
SHA5121b188bd2cacc2afe2ef0581062269dca815cdd8cd3f0b0590a2d01ba5d2cc5336937da5139da233e5834251004a36f01af5b3fda61893807aec4bd2bcbf81eaa
-
Filesize
208B
MD53cf89be7627b4e7f785f207797a01cd0
SHA1c907ca41150126403461c9acd8c00583fda2922a
SHA2566901e611bb1f8ebd814233c1bd63949a0bda75f205c933f077b446c56e39be8a
SHA51271fd92b3d680a7c7b8e3850c3d9adec4d0dc17712c873c03ff22deec5003af5cfe137eef051c8a11d2ffc3ab52705d763ec11d398ed48f4d7dc826a8ac5ff6ba
-
Filesize
2.6MB
MD55d64995f4f17ae396bff6eeaca08f815
SHA107a6a9740a033af352243e01cca3b605f7c9bb5f
SHA256e663391a828db42af5b519a040789c22d8038d87774b27dca6ac01d15a50548e
SHA512179b223b7cacb9ea78f2b13a09edda7fcf989a60414a1e0c67a56fd41e39c7e09d2eed142fa8ab889e227cc05dcaee91fca1727f76590310a60712c0f7082f6e
-
Filesize
2.6MB
MD52e33fc6acf0e5c293e401ff1b6d2ebae
SHA17cc426a5924446823e40469dfe5d7e36dd82c393
SHA256939cb63901e2a431f661790a0cc7014ebe9c2e44ee7f25d2d466fc9d4abbae05
SHA5127dfdde2b4c0f0ac3bdafd727cf762c2295d7b8420724a2422833c2cba0a6be0dced89bc3e50f637dbbbb9ee477361851616a46b1b162c1e5ebb28590ca521121