Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:09
Static task
static1
Behavioral task
behavioral1
Sample
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
Resource
win10v2004-20241007-en
General
-
Target
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
-
Size
2.6MB
-
MD5
8783f6824ec21bbc49a9b9081cbae892
-
SHA1
85a63c5c1c7a7a14a8c8a090e1e648b1eb770433
-
SHA256
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499
-
SHA512
e59e0b90b56a77f9c206059baebb95ac9cd7eda3c9516fa72b093eb225039604d1c2c998f246e98c7560e8ad25b7506e8b975ca27145435cb4afe2c396d494bc
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSy:sxX7QnxrloE5dpUpvbt
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevbod.exedevdobloc.exepid Process 2524 sysdevbod.exe 2544 devdobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exepid Process 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYY\\devdobloc.exe" e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintG6\\dobdevloc.exe" e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exesysdevbod.exedevdobloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exesysdevbod.exedevdobloc.exepid Process 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe 2524 sysdevbod.exe 2544 devdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exedescription pid Process procid_target PID 3044 wrote to memory of 2524 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 30 PID 3044 wrote to memory of 2524 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 30 PID 3044 wrote to memory of 2524 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 30 PID 3044 wrote to memory of 2524 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 30 PID 3044 wrote to memory of 2544 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 31 PID 3044 wrote to memory of 2544 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 31 PID 3044 wrote to memory of 2544 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 31 PID 3044 wrote to memory of 2544 3044 e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe"C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
-
C:\UserDotYY\devdobloc.exeC:\UserDotYY\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d073526555fc343042200ec442ae4b50
SHA1798bdebc02614ba49e9f735feb2779b195db043f
SHA256924b00269737567250da884aad697302dcf6c51bdbb7408759e7b476b20ee1a0
SHA5121dbeef5a673f34363f24e2b08172cdd807674843509456ea740de5b9f31ed3ffdcfab796bc6dfbb6718b8ba9e505e8d01d3d9fe30c418cd6bb57e800aca4a80c
-
Filesize
6KB
MD5eca5ea25f6a32a95c09d2d11f140c43b
SHA1fc7c4ffc46b345747cc079073a62c80c129f2442
SHA2567d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17
SHA51227d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61
-
Filesize
2.6MB
MD5d89c526b4dc4d164f53bd773ba009719
SHA1968593667fc3a788eec54d65f4e5d7923a69f85f
SHA25629b544bc3111379791cf0f4b5b6b76c96efe2f46c92e4869addd559c04405be6
SHA51270f6f9edff438b7a0a456a6c2955a8c9338b26d9100f7fe9877f0209fbb5ca2d8025954ceb6067efacf4dbbd40decdd75482c46b1c1d73f7e9718c9f81d4918f
-
Filesize
176B
MD5a7af81c20cb6dfc1dc359a0254481e4a
SHA142ee04dbe4a724959f3bd69e9accee067f01603b
SHA256ae37b33824605125f038774b1ea27af9be33c28e118187e9efa3abe68f998c62
SHA51216b8d13c51088b0ef97a7a387adfb242bdf2a3ed4e8e9755cf81ecae5bf5bf59902500d9a342ac206b7de43486ba68a4fba554667ee8b6841769674044bf140e
-
Filesize
208B
MD5419ca0b481a284c850d01f46dc93ebe0
SHA1c5ee9ba4e5bedab1ef19433b806da71cd693110b
SHA25637d6f4972e355e1891eb10b8e8da4f1399b7c14beb63ed43ef4295fd967dc8aa
SHA512703ce544d73b1d141585cdaa6e7a0093abe7220a31eb77dc48b8fec79843dacd80e280b2d5cd1e9ed4c2b769d257692ba6117582c44db0ea34eab6b262add9c3
-
Filesize
2.6MB
MD50d58208ef1afaff6539c942e568065ea
SHA1cf7894489ee188e4d540ccf18b73b20cb001d023
SHA256d8385d0294f6c3ba43eb70245bb6236699e3c054bd7bf34bb9f422fb32f62af8
SHA512d7e2a3c9c14dc44e61b6d1827526c61e3f4491f8aed00d6feb6101225d2d5b2a11ba6980d8554aa0f5d8a7d3fe3a024ae6208fe3092b74e3391845b1577a8dca