Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:27

General

  • Target

    9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe

  • Size

    2.6MB

  • MD5

    f66c84cf0fbe3181691b99b46bfa111e

  • SHA1

    68f8f7e8ebbd53be7e3c0d9dc01fbc4bd5aa2e24

  • SHA256

    9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638

  • SHA512

    d94d4e9afe3707383b85e8f826cec5ebe64bb32af5d27943467af4fb0d6ec89ca4fca59554106c6f4d46c24b1335d369ef1ecd4ca405975d0e1573c9e22bbbbe

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSi:sxX7QnxrloE5dpUpybV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe
    "C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2688
    • C:\SysDrvMS\devbodloc.exe
      C:\SysDrvMS\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintFR\boddevloc.exe

    Filesize

    2.6MB

    MD5

    096195b66d8d5a40bfaca8ba8748b291

    SHA1

    663772dd3c846b6a110db5cf1f4e8331cc1f3a0f

    SHA256

    b1a1efbfb440bd01de105d34e41ad06c107859afac510d66cb5eec6834c17901

    SHA512

    97c53f962eaf19122f74364d1b1c09f7409a3a2fa1d4b3d7938ca0c5fa3ea56c227b1bca3c656bab047df25928d6e685235ffa0193db831b8c0c8007c6a9afe3

  • C:\MintFR\boddevloc.exe

    Filesize

    2.6MB

    MD5

    eb40e642b8442650561217e01809bceb

    SHA1

    0b5b00a016a1ef09d73c820d46cb88fe6bd32752

    SHA256

    2bb504501de98916564172c3660069f1651b327352f3769a2208eaa5fc6ffc3a

    SHA512

    ae301718a800da09ca2fef20f29340d32a3adb3d12e619f8e8762ce9a3c36d3875871cc2c68f363d7ed2843bba886ddbeaccfa1503dcaf3829b45d90578aecfa

  • C:\SysDrvMS\devbodloc.exe

    Filesize

    2.6MB

    MD5

    4074ebc32540e509c9115448f3cf3dc6

    SHA1

    26437b006cfd8d9b557944ba59933d15c5aadb4a

    SHA256

    eb09979b639039f9b39c1422528840ee10d70c0fc3a203810eb4eeabd3ccecd0

    SHA512

    5a76524ac411ea775b93c9de80a8529b67fa603c8d6f924592ea2ca8095e60b622cbf91bb8e27d1e1f08e07b064a59b4846868044bca9ea257fb5497ca6152d4

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    6860da30cf41c6a0ef883a568701d98c

    SHA1

    063a2fdfe062a6a3e93bf4b8d0572ab5cbf45eb4

    SHA256

    e1698591b7331d95694ee9ba72d4926103d639d90b56004b1c8435858d3ce8a6

    SHA512

    eb930ca86b74b6760e4084a87c50f27f459fbd920b81deb76aecb1591b207a9a3259f53b0c26c8c369ed2d984aada5fc70f8f4aa44d362e62ff0aa4312440313

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    77fa7ec527ecbd6da74db54c70b1d148

    SHA1

    8545d88420a166342d667d3694dfe6bddd82e373

    SHA256

    52b9e9c1fde8f8aa8ff97cf77d1f12432534710936f7074d87e47e7845d4dc33

    SHA512

    27e4aefd4338264a048f16150f7e6f6bf2107cae1d6b74d1aa268ceb11dd0d589b4532fd5153146572361f008b50d6458db984bb1e112691e93904ac0569a7fc

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    beca1b5c5d1f2bcfadca9e829f738887

    SHA1

    68ef1ce30a46c14dd08eb62027b6f9e91a7772cb

    SHA256

    335e5848fffaa86c93141a7281b16ca0241112e5447dddedd48319fd51cda8f5

    SHA512

    65546618ff1143eaf165271572b8a5355ce3006a1f011d27a9f7dea846370108d8ab6378e9f975ef894f343c75c8d65a1c135d3dd99b1da9675256aec15d4141