Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
Resource
win10v2004-20241007-en
General
-
Target
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
-
Size
2.6MB
-
MD5
5683533888eca804288fea46c019a480
-
SHA1
985208a86692bcfa0ac678d011d4cefac366cdd6
-
SHA256
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fd
-
SHA512
4ba0b018be4491073b999a4aa1ab4e9edbab96604ab69a14b961da2d3d4b0e539940fe4fac76cbcc994921244eb63857ba248de7721c2481f37fb0ccbfef533f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSq:sxX7QnxrloE5dpUpZbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe -
Executes dropped EXE 2 IoCs
pid Process 4840 sysdevbod.exe 472 abodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ5X\\dobaec.exe" 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP9\\abodsys.exe" 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe 4840 sysdevbod.exe 4840 sysdevbod.exe 472 abodsys.exe 472 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1648 wrote to memory of 4840 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 87 PID 1648 wrote to memory of 4840 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 87 PID 1648 wrote to memory of 4840 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 87 PID 1648 wrote to memory of 472 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 90 PID 1648 wrote to memory of 472 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 90 PID 1648 wrote to memory of 472 1648 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe"C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4840
-
-
C:\UserDotP9\abodsys.exeC:\UserDotP9\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59f4b35a8e79763d5578ece23932a3d5a
SHA1d45f4d694be4a60d086d51aae2749eb693ae4258
SHA256fefa4f502dc77965a08d08b5f3f697676961b5e49eb4cfc8f161adf1d285eaba
SHA5120858ff6a6b7a9bac788b4c126b4a9c49c3ac896f461e78d2a8788179611daf953d4cf8ddc48ed39aa5900c42141207efc5537b67161a0057ad51a69691e63abe
-
Filesize
2.6MB
MD5e2b449e9e6520c0d9a0edd5f1786873d
SHA1350f842d607fcd9aa6a780c15ad5eda1f2afc941
SHA2567bf4323843d7d4136165fe8b7d99511613f1f64a1a0da0259824e9e8846c3fc6
SHA512d6d929fd9b18a2fac312105de50c1c12f59ae5812eed3a0a7fe8f087872ca41769367bf5a178cd8af66963de9c31177c00ce44c076d4897b86e968a6ec146f97
-
Filesize
1.2MB
MD5ddad73d4f787cbe13851c57d7a2663ae
SHA14693ea6d94291931689c00ebd0422d1c6f9e1f53
SHA2564d9ede245de0fa7ea57778c194459f5a39026345ffb54b34e00fd606214f6efc
SHA512191eadff506e35b7332ae3782980437c9493164ce3db27e25b0efccef02f9af96f2ba3a96da7532245ac7a47179ae590e5240c2a06f19eec30f0235ce79aa8ab
-
Filesize
2.6MB
MD53ba2532580d2105902edf083b6b2178e
SHA1824ced5b0b07032eeccdf667f6c9a749f9333b82
SHA25686ba3a13727fdd5ba440a24e6a0be5a2f7610c4321250735ddbb983111d7a838
SHA512e743f792d03f990e606b529e2446639f4da1e19924833b1ef3681fdc11d3b187a251f4c58030fff414983a16cc00481d6fdcc50bd55764b3683dd4e2ff39c2e9
-
Filesize
203B
MD55e8c6852aef7b24c6637a93fde3d1853
SHA16e71716a507fe0ea32e3f99c611fe6c2abd4bd65
SHA25691f9c37d193c5ad0290938426b3ac55ed8f1ba7657732df6afd83e9b5bb2fb46
SHA5120059625dcaa79a6f306ea823508b2c6f288c48ac32e69c040ced556fd0e831bfbd46942cb09c2e738cbd4f21c4e754bca96faee26c66765151b09ac2586cc950
-
Filesize
171B
MD5d80242a6d0cc762c772f318ff98349f1
SHA19df217006351cfed82dda72dbc3ead378a702f3f
SHA2567bf6baf7cd44036733bca4345690bffdf7376820eaa584f10ff9cb3a63eb012e
SHA512ca196965c2e5d41d359373616c613acbbe58d916b461e5e319d3f6ba9a2eff565ed8b93632543f188d0122d0c146f7906a56dd6275ff493ec5e4cdbb3c113729
-
Filesize
2.6MB
MD5614eaac69bc41b294053e961d96313dd
SHA1dc6d2b566aedec298dbfddb10979fe0416ef3f99
SHA2566d6ee43c9df9b4aa3347288c70c407cad212fa0a352c3b5135c55bf7319a0c98
SHA512df6b5e67b6c58dbe816bb6a16c9483b75de664cfa13d511a65220a5eb94e8a11c221ecbb129f6ae769198cdca4c31937a327fb1ad17609e8342674d7a7a6c3a6