Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:20

General

  • Target

    9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe

  • Size

    2.6MB

  • MD5

    8b73c5c47d43028025eedaec97f5c6ce

  • SHA1

    94fd2ece89f0d2c0f2ec16ed950de5281b43f30a

  • SHA256

    9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff

  • SHA512

    859a98bf38d777d28fb27b5b6da08df54b443efbb9cc9d537fff42630980230635c9a916c8847a9f9df43fb512f5c9e87c59e233108bbab8896ccae7ea925cff

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq2:sxX7QnxrloE5dpUp0bV2

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
    "C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1744
    • C:\FilesAE\devdobec.exe
      C:\FilesAE\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:688

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesAE\devdobec.exe

          Filesize

          2.6MB

          MD5

          50b85bb2124a77874a4f765bffd4eb2e

          SHA1

          245fc52e1d47a70d8aa1752a6487e50a498d4753

          SHA256

          fe23a8fa0351e0e177b1507beb0400b177ffadb2639706ff124e39fccd16ac45

          SHA512

          0ba470edca3d14d09f1ffea9f7d4ff16791f3849aebd425e57c1278d68ac293cc68eb5f4c04f89e2ab362d3d234149e0470894b084d7c92eb55b43e23eca5449

        • C:\LabZWH\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          f5650fd987871096af4b663b2f8dad94

          SHA1

          d0236eb2f8108f8d2eaecdfcf5a92a531108bc32

          SHA256

          da5ac14e2514d6cad2e24b080f8bc08ba97ea0047ca769aeacbac8ea4759deee

          SHA512

          91331663f9035f94921d1372fce3c710370f602bb0b19ad2d4313cace4772c31f227f5aaebdda0625b9421fedded54fce9d7ee832018c1e51a5de8138c6a438e

        • C:\LabZWH\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          844abeb2bbb32a2267664a2676846366

          SHA1

          898f0220d9b8e9f7a1497c0db61bd3d1693e22dc

          SHA256

          1177adde22ef21aa76e2f024ce306ff77221dee3a64ac815c756b2bfe729175b

          SHA512

          267b8328e1e998eb81f7deb91d646a747e944edeedc6ab9aa7b98fe7ace382db8778d8c5cbb200a564ad619fce0a4156c9c63e7eb2815750078d773a8b91ba94

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          bdb443e6527ca2e61c72869c7429a865

          SHA1

          a17c535c67f35ec3f7665fb8cf8897c99f45f39d

          SHA256

          46ba9a4c6ceb75bed5aef74ecbcfe3b5e9ae3a98468d33cf9e55ddda8b823ad8

          SHA512

          fcf4ef99ba82c892e0bb452fe74467386cdb4b456c380a30217334ae7d7835aa7e7e13c419d902da1a297b0a980301a935ac721545292474da527d85091fe0cb

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          8607b45399549c56d415a514d5422134

          SHA1

          477cbd16a26f88ec71a6aff1e92ecc757ceac6e9

          SHA256

          a2b7469b14407ccf3591129f1f9fd63325d665f492beba8c1b9e92eb2c9e262e

          SHA512

          6330eb621528e81ad6055777306700950f1e5a7a7bcf6c612e693f60668552ea681f9f205cb1251f6a9a425b344a96f88cfc37176b10b10571788b80fc05c2ad

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          2.6MB

          MD5

          3d9f11f7fe8c49c5ab088e5ee7a83380

          SHA1

          d0602abe6de37927984f9f94cffb6a2321355a29

          SHA256

          42851bf91c8d5f9f9d4cea0010892691b8cba3a08d8f9b55848960a15946b7c2

          SHA512

          605d180d3ea5102d9a9d25314b4e09f9c08d8061235c1c7fc4946cba106ac92b9de0fc93088813032702e827b4dc8b7a9429695d32d1fc3c016683bee069169e