Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:21

General

  • Target

    37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe

  • Size

    2.6MB

  • MD5

    5683533888eca804288fea46c019a480

  • SHA1

    985208a86692bcfa0ac678d011d4cefac366cdd6

  • SHA256

    37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fd

  • SHA512

    4ba0b018be4491073b999a4aa1ab4e9edbab96604ab69a14b961da2d3d4b0e539940fe4fac76cbcc994921244eb63857ba248de7721c2481f37fb0ccbfef533f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSq:sxX7QnxrloE5dpUpZbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
    "C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4840
    • C:\UserDotP9\abodsys.exe
      C:\UserDotP9\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:472

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ5X\dobaec.exe

          Filesize

          2.6MB

          MD5

          9f4b35a8e79763d5578ece23932a3d5a

          SHA1

          d45f4d694be4a60d086d51aae2749eb693ae4258

          SHA256

          fefa4f502dc77965a08d08b5f3f697676961b5e49eb4cfc8f161adf1d285eaba

          SHA512

          0858ff6a6b7a9bac788b4c126b4a9c49c3ac896f461e78d2a8788179611daf953d4cf8ddc48ed39aa5900c42141207efc5537b67161a0057ad51a69691e63abe

        • C:\LabZ5X\dobaec.exe

          Filesize

          2.6MB

          MD5

          e2b449e9e6520c0d9a0edd5f1786873d

          SHA1

          350f842d607fcd9aa6a780c15ad5eda1f2afc941

          SHA256

          7bf4323843d7d4136165fe8b7d99511613f1f64a1a0da0259824e9e8846c3fc6

          SHA512

          d6d929fd9b18a2fac312105de50c1c12f59ae5812eed3a0a7fe8f087872ca41769367bf5a178cd8af66963de9c31177c00ce44c076d4897b86e968a6ec146f97

        • C:\UserDotP9\abodsys.exe

          Filesize

          1.2MB

          MD5

          ddad73d4f787cbe13851c57d7a2663ae

          SHA1

          4693ea6d94291931689c00ebd0422d1c6f9e1f53

          SHA256

          4d9ede245de0fa7ea57778c194459f5a39026345ffb54b34e00fd606214f6efc

          SHA512

          191eadff506e35b7332ae3782980437c9493164ce3db27e25b0efccef02f9af96f2ba3a96da7532245ac7a47179ae590e5240c2a06f19eec30f0235ce79aa8ab

        • C:\UserDotP9\abodsys.exe

          Filesize

          2.6MB

          MD5

          3ba2532580d2105902edf083b6b2178e

          SHA1

          824ced5b0b07032eeccdf667f6c9a749f9333b82

          SHA256

          86ba3a13727fdd5ba440a24e6a0be5a2f7610c4321250735ddbb983111d7a838

          SHA512

          e743f792d03f990e606b529e2446639f4da1e19924833b1ef3681fdc11d3b187a251f4c58030fff414983a16cc00481d6fdcc50bd55764b3683dd4e2ff39c2e9

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          5e8c6852aef7b24c6637a93fde3d1853

          SHA1

          6e71716a507fe0ea32e3f99c611fe6c2abd4bd65

          SHA256

          91f9c37d193c5ad0290938426b3ac55ed8f1ba7657732df6afd83e9b5bb2fb46

          SHA512

          0059625dcaa79a6f306ea823508b2c6f288c48ac32e69c040ced556fd0e831bfbd46942cb09c2e738cbd4f21c4e754bca96faee26c66765151b09ac2586cc950

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          d80242a6d0cc762c772f318ff98349f1

          SHA1

          9df217006351cfed82dda72dbc3ead378a702f3f

          SHA256

          7bf6baf7cd44036733bca4345690bffdf7376820eaa584f10ff9cb3a63eb012e

          SHA512

          ca196965c2e5d41d359373616c613acbbe58d916b461e5e319d3f6ba9a2eff565ed8b93632543f188d0122d0c146f7906a56dd6275ff493ec5e4cdbb3c113729

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          2.6MB

          MD5

          614eaac69bc41b294053e961d96313dd

          SHA1

          dc6d2b566aedec298dbfddb10979fe0416ef3f99

          SHA256

          6d6ee43c9df9b4aa3347288c70c407cad212fa0a352c3b5135c55bf7319a0c98

          SHA512

          df6b5e67b6c58dbe816bb6a16c9483b75de664cfa13d511a65220a5eb94e8a11c221ecbb129f6ae769198cdca4c31937a327fb1ad17609e8342674d7a7a6c3a6