Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:12
Static task
static1
Behavioral task
behavioral1
Sample
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
Resource
win10v2004-20241007-en
General
-
Target
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
-
Size
2.6MB
-
MD5
463d1ea4a3d732f379b2bf231d270cd0
-
SHA1
4a9e8a1be5638eca39edf12778de6f6f628f1cfd
-
SHA256
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677
-
SHA512
2be4f1eedbd979d5af503623ab2256a4ba30895dac59e2efac457db303b411e89e7c9166c8a884841fb6543cdb155a460e28f24b899bb758c37d49ef843c3fb1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpOb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe -
Executes dropped EXE 2 IoCs
pid Process 4440 sysdevbod.exe 4824 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocOK\\devbodec.exe" e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGM\\bodaec.exe" e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe 4440 sysdevbod.exe 4440 sysdevbod.exe 4824 devbodec.exe 4824 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2212 wrote to memory of 4440 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 86 PID 2212 wrote to memory of 4440 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 86 PID 2212 wrote to memory of 4440 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 86 PID 2212 wrote to memory of 4824 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 87 PID 2212 wrote to memory of 4824 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 87 PID 2212 wrote to memory of 4824 2212 e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe"C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4440
-
-
C:\IntelprocOK\devbodec.exeC:\IntelprocOK\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a08ec3e57b5dae41771b8b3073840297
SHA12f11b3b8d787d892bb359999a9857b7ec7b3a309
SHA2565fdb8f15fa291474b98795e22259da8e98912bc53b4139ac6dd0fcf392345055
SHA5123c0719ce1220e85721e4c6e03113c59444596d20c58b44e38015c82fdc3ab57bb5b39ae36661743d486cb74dcd14bd7f0113cf1df21a8b91f28c4e92f04470c6
-
Filesize
2.6MB
MD598fc73177737cd0c9eff527d66f80916
SHA1f5075e8adbf07a4dafe448ae12751c5872d540e4
SHA25611e715ce373687e20413cada9eb2831f387dcb86acf661cb445dc01b4584164e
SHA512538e3326775ecad9ef561f75af52957f442b671a5dc94d3441abd54052f20a51a6e85acabf0ac4ecdb41c744b823b8fb775b3caa32bd5ee8a95d6f9b35530467
-
Filesize
2.6MB
MD59a9b03df5249404e318e6ca55d983c25
SHA192eab36ffc075efa1ce4c09f1aeb6230a365359e
SHA256fcc037d405ea9ffb2ac196987ddf6839028365bcbe2ee6dce1568ffffcc9c970
SHA512276ad3c43253dda2367f601df1d58c11e0301b5bbb43f95a9dbf6065b1c6118d11ef40278792d7309911b267f644bb4d060c3c13d2ffe28c330b57b254ba0350
-
Filesize
206B
MD501537ef5891ecae49de1e717964eee19
SHA1c6fdfd83a365d8d25327df7b7010c847ecc54538
SHA2563b5f9dfe7a0a49edef4de7b109d92d653677a78407b276ad3eedfb5c65beae3b
SHA512254594107d2cd333ac25dd9da59d3fc525d8d0c40e31b270260f6f9663873d79198e4e40e9a31e8b8f9a182aad4ab9bb0ac9d2b143688fc37daafd0c602ec1f9
-
Filesize
174B
MD58d2a99b6b462485d40f50bb541140d03
SHA1f6923a6bb17e70e852cd982d5101642a12e65cdd
SHA25642902bdc4b1f4e9980fa383324738cad0e1872d4f1b8693a8f29d6c57aec1c2d
SHA5123a44f46ade1c4be48b3b6150ccdeddf525376ef14720dee9c32f31850729fe68180dac542330d98812b534e45b8e142492f543987093eb8f881eb3b0e186c11e
-
Filesize
2.6MB
MD54d497d2dbc6590aa554171388efb4d37
SHA173d6c8c01130353f184ee077b566718788891323
SHA256e0f1fbcd29f959730e37f385749ce2a6deba27f7cc4f7e7588aa915f50012708
SHA512cb039c9e2d5f2ff0d193690fe668b32fcf12c2391463b7e766f72d97e72620f6978a373fd12b2f48643fcfe8c8c5311ddccd08016791b652aab6440ec27717de