Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:20
Static task
static1
Behavioral task
behavioral1
Sample
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
Resource
win10v2004-20241007-en
General
-
Target
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
-
Size
2.6MB
-
MD5
8b73c5c47d43028025eedaec97f5c6ce
-
SHA1
94fd2ece89f0d2c0f2ec16ed950de5281b43f30a
-
SHA256
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff
-
SHA512
859a98bf38d777d28fb27b5b6da08df54b443efbb9cc9d537fff42630980230635c9a916c8847a9f9df43fb512f5c9e87c59e233108bbab8896ccae7ea925cff
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq2:sxX7QnxrloE5dpUp0bV2
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe -
Executes dropped EXE 2 IoCs
pid Process 1744 sysdevbod.exe 688 devdobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAE\\devdobec.exe" 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWH\\dobdevsys.exe" 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe 1744 sysdevbod.exe 1744 sysdevbod.exe 688 devdobec.exe 688 devdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4308 wrote to memory of 1744 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 88 PID 4308 wrote to memory of 1744 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 88 PID 4308 wrote to memory of 1744 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 88 PID 4308 wrote to memory of 688 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 91 PID 4308 wrote to memory of 688 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 91 PID 4308 wrote to memory of 688 4308 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe"C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
-
C:\FilesAE\devdobec.exeC:\FilesAE\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD550b85bb2124a77874a4f765bffd4eb2e
SHA1245fc52e1d47a70d8aa1752a6487e50a498d4753
SHA256fe23a8fa0351e0e177b1507beb0400b177ffadb2639706ff124e39fccd16ac45
SHA5120ba470edca3d14d09f1ffea9f7d4ff16791f3849aebd425e57c1278d68ac293cc68eb5f4c04f89e2ab362d3d234149e0470894b084d7c92eb55b43e23eca5449
-
Filesize
2.6MB
MD5f5650fd987871096af4b663b2f8dad94
SHA1d0236eb2f8108f8d2eaecdfcf5a92a531108bc32
SHA256da5ac14e2514d6cad2e24b080f8bc08ba97ea0047ca769aeacbac8ea4759deee
SHA51291331663f9035f94921d1372fce3c710370f602bb0b19ad2d4313cace4772c31f227f5aaebdda0625b9421fedded54fce9d7ee832018c1e51a5de8138c6a438e
-
Filesize
2.6MB
MD5844abeb2bbb32a2267664a2676846366
SHA1898f0220d9b8e9f7a1497c0db61bd3d1693e22dc
SHA2561177adde22ef21aa76e2f024ce306ff77221dee3a64ac815c756b2bfe729175b
SHA512267b8328e1e998eb81f7deb91d646a747e944edeedc6ab9aa7b98fe7ace382db8778d8c5cbb200a564ad619fce0a4156c9c63e7eb2815750078d773a8b91ba94
-
Filesize
205B
MD5bdb443e6527ca2e61c72869c7429a865
SHA1a17c535c67f35ec3f7665fb8cf8897c99f45f39d
SHA25646ba9a4c6ceb75bed5aef74ecbcfe3b5e9ae3a98468d33cf9e55ddda8b823ad8
SHA512fcf4ef99ba82c892e0bb452fe74467386cdb4b456c380a30217334ae7d7835aa7e7e13c419d902da1a297b0a980301a935ac721545292474da527d85091fe0cb
-
Filesize
173B
MD58607b45399549c56d415a514d5422134
SHA1477cbd16a26f88ec71a6aff1e92ecc757ceac6e9
SHA256a2b7469b14407ccf3591129f1f9fd63325d665f492beba8c1b9e92eb2c9e262e
SHA5126330eb621528e81ad6055777306700950f1e5a7a7bcf6c612e693f60668552ea681f9f205cb1251f6a9a425b344a96f88cfc37176b10b10571788b80fc05c2ad
-
Filesize
2.6MB
MD53d9f11f7fe8c49c5ab088e5ee7a83380
SHA1d0602abe6de37927984f9f94cffb6a2321355a29
SHA25642851bf91c8d5f9f9d4cea0010892691b8cba3a08d8f9b55848960a15946b7c2
SHA512605d180d3ea5102d9a9d25314b4e09f9c08d8061235c1c7fc4946cba106ac92b9de0fc93088813032702e827b4dc8b7a9429695d32d1fc3c016683bee069169e