Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:42
Static task
static1
Behavioral task
behavioral1
Sample
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
Resource
win10v2004-20241007-en
General
-
Target
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
-
Size
2.6MB
-
MD5
f7c91568e0ad74851e94df6c04f44f80
-
SHA1
ffc774105161917f47d12b6a9013ca3bc26e1f86
-
SHA256
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352
-
SHA512
f8c0ea51c48762f4eb5681b0dd203b621e61d442f13f14084c5a50bff3901a3c0e4472ae88ed615b2291f47707fbbabadb3270faaff5a25ba0a8e49ed1cc0568
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpob
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevopti.exexbodloc.exepid Process 1048 sysdevopti.exe 744 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0K\\xbodloc.exe" e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAC\\boddevec.exe" e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exesysdevopti.exexbodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exesysdevopti.exexbodloc.exepid Process 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe 1048 sysdevopti.exe 1048 sysdevopti.exe 744 xbodloc.exe 744 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exedescription pid Process procid_target PID 3848 wrote to memory of 1048 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 86 PID 3848 wrote to memory of 1048 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 86 PID 3848 wrote to memory of 1048 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 86 PID 3848 wrote to memory of 744 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 89 PID 3848 wrote to memory of 744 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 89 PID 3848 wrote to memory of 744 3848 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe"C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1048
-
-
C:\Files0K\xbodloc.exeC:\Files0K\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD51a84319efbcc2411a83433a97cbf94b9
SHA1ca48340030c0140632c2b600ffa9b017505a4118
SHA2561d1eeca6f7a7b91686eef75f9fd0ea5bb2d879f9226b70c5e54041569e8f7713
SHA512c2406a92d0f6d77cba79329cd3de7eb3f34180812e1435fe63b1ce29430f679c31f2e1f0d1affb1e5bb8169daab1845c4a3bd1c34f79bed903cba5121f90de09
-
Filesize
203B
MD555abfb73f88f00f8484bfc7fdc4f927a
SHA1486bf23deceac14ea27896a5741aca302c77ee48
SHA2562e97712022dae969814d022183d0fc69ff090064eb2e8d0cff7b9b9b0dc0f574
SHA5129e782333c3fc80b2560a48a7732719ea1be95ed1ac892c4d555dbeb7ff0c422900109108f9813e558881a95c6e192fef6b21f99d97ae574d76e531eff61be1b4
-
Filesize
171B
MD5d0555bd51218fa73b9b70b9968430965
SHA1a7c83dd3d8f00854d5824ac35909aba5f56359e2
SHA2562558d6be60a2f9e431c335d77cee55d2364d00451bc46140fa5306bd3550e2d2
SHA51272718235800c2d0aeeabc119e6cbe1e7d579dc359fa6b3d3dd77ddc7b6e465a4c3af78e120820c2e2d4808736e60fc88e038e49166de54076933d9287ef9ff53
-
Filesize
2.6MB
MD5140d47b2025034deadb15a30d69ca833
SHA185b7edb780a9b21a0689b436f9b617e40c129cde
SHA256c2557c032d7522350d35e87a58e91fffbe4dba1ad3d2da4b51d5f73adbbba004
SHA512b756a13c38efebb38018b192e3a55fdaa9f9d33aa7e35395affec25c71c702affb229c3d97a09042e3450889ae3a3847f6d7cf28da60e88485a5293a1ff9681c
-
Filesize
2.6MB
MD51cf901b195a1379f2072d593c4493a43
SHA186b1a05fc7db62211e984d172f92a7c4f32ab442
SHA2563d52e7bc0bc4f8ff13db145f916000655626046a3f08ed385bcd51f41324710b
SHA512685785d98f6ca9ca9db71f03038554ae82202d6191f5ec7e15b4cdc282ff83dc603677f48390116a8ca031ef11222b0f062fb7fcd0a2bd13222562f6774917e9
-
Filesize
2.6MB
MD51519c29f81a2d882266b0cb2fc08c6ef
SHA1b0ea222619b2b6c3014b8fad8c91e6390fc700a7
SHA2562ec36c1f9fafa5616d4181f2813942079341183fcc0f429595577437979d6c60
SHA512f4b76c8600eb13c361989135e23b195d09b85fa67057252b1c87b7844af0853dc400687f96306963bcfc6e8cf5fc4c2401650b8d7f38d182e6813a58b7354297