Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:27
Static task
static1
Behavioral task
behavioral1
Sample
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe
Resource
win10v2004-20241007-en
General
-
Target
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe
-
Size
2.6MB
-
MD5
f66c84cf0fbe3181691b99b46bfa111e
-
SHA1
68f8f7e8ebbd53be7e3c0d9dc01fbc4bd5aa2e24
-
SHA256
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638
-
SHA512
d94d4e9afe3707383b85e8f826cec5ebe64bb32af5d27943467af4fb0d6ec89ca4fca59554106c6f4d46c24b1335d369ef1ecd4ca405975d0e1573c9e22bbbbe
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSi:sxX7QnxrloE5dpUpybV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevbod.exedevbodloc.exepid Process 2688 sysdevbod.exe 1740 devbodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exepid Process 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMS\\devbodloc.exe" 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFR\\boddevloc.exe" 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exesysdevbod.exedevbodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exesysdevbod.exedevbodloc.exepid Process 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe 2688 sysdevbod.exe 1740 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exedescription pid Process procid_target PID 2744 wrote to memory of 2688 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 31 PID 2744 wrote to memory of 2688 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 31 PID 2744 wrote to memory of 2688 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 31 PID 2744 wrote to memory of 2688 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 31 PID 2744 wrote to memory of 1740 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 32 PID 2744 wrote to memory of 1740 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 32 PID 2744 wrote to memory of 1740 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 32 PID 2744 wrote to memory of 1740 2744 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe"C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
C:\SysDrvMS\devbodloc.exeC:\SysDrvMS\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5096195b66d8d5a40bfaca8ba8748b291
SHA1663772dd3c846b6a110db5cf1f4e8331cc1f3a0f
SHA256b1a1efbfb440bd01de105d34e41ad06c107859afac510d66cb5eec6834c17901
SHA51297c53f962eaf19122f74364d1b1c09f7409a3a2fa1d4b3d7938ca0c5fa3ea56c227b1bca3c656bab047df25928d6e685235ffa0193db831b8c0c8007c6a9afe3
-
Filesize
2.6MB
MD5eb40e642b8442650561217e01809bceb
SHA10b5b00a016a1ef09d73c820d46cb88fe6bd32752
SHA2562bb504501de98916564172c3660069f1651b327352f3769a2208eaa5fc6ffc3a
SHA512ae301718a800da09ca2fef20f29340d32a3adb3d12e619f8e8762ce9a3c36d3875871cc2c68f363d7ed2843bba886ddbeaccfa1503dcaf3829b45d90578aecfa
-
Filesize
2.6MB
MD54074ebc32540e509c9115448f3cf3dc6
SHA126437b006cfd8d9b557944ba59933d15c5aadb4a
SHA256eb09979b639039f9b39c1422528840ee10d70c0fc3a203810eb4eeabd3ccecd0
SHA5125a76524ac411ea775b93c9de80a8529b67fa603c8d6f924592ea2ca8095e60b622cbf91bb8e27d1e1f08e07b064a59b4846868044bca9ea257fb5497ca6152d4
-
Filesize
175B
MD56860da30cf41c6a0ef883a568701d98c
SHA1063a2fdfe062a6a3e93bf4b8d0572ab5cbf45eb4
SHA256e1698591b7331d95694ee9ba72d4926103d639d90b56004b1c8435858d3ce8a6
SHA512eb930ca86b74b6760e4084a87c50f27f459fbd920b81deb76aecb1591b207a9a3259f53b0c26c8c369ed2d984aada5fc70f8f4aa44d362e62ff0aa4312440313
-
Filesize
207B
MD577fa7ec527ecbd6da74db54c70b1d148
SHA18545d88420a166342d667d3694dfe6bddd82e373
SHA25652b9e9c1fde8f8aa8ff97cf77d1f12432534710936f7074d87e47e7845d4dc33
SHA51227e4aefd4338264a048f16150f7e6f6bf2107cae1d6b74d1aa268ceb11dd0d589b4532fd5153146572361f008b50d6458db984bb1e112691e93904ac0569a7fc
-
Filesize
2.6MB
MD5beca1b5c5d1f2bcfadca9e829f738887
SHA168ef1ce30a46c14dd08eb62027b6f9e91a7772cb
SHA256335e5848fffaa86c93141a7281b16ca0241112e5447dddedd48319fd51cda8f5
SHA51265546618ff1143eaf165271572b8a5355ce3006a1f011d27a9f7dea846370108d8ab6378e9f975ef894f343c75c8d65a1c135d3dd99b1da9675256aec15d4141