Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:12

General

  • Target

    115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe

  • Size

    2.6MB

  • MD5

    91397eb0bd491a98eb0795ce5c163560

  • SHA1

    9b8469b8fdbee493794ebedad56624b12326247c

  • SHA256

    115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1

  • SHA512

    a8c0aa910ed70c9c91467796fe763c9cae7a7509a400d82d11df7e5c7ab40d6ca19c7e4e06d7ca107ab4e3b2c7562b72573d1d1ef0e2874473aed14197f2a154

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe
    "C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2672
    • C:\SysDrv5I\devoptiec.exe
      C:\SysDrv5I\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrv5I\devoptiec.exe

    Filesize

    2.6MB

    MD5

    225598d6cc84d0f6b98a6d91d7dbeff5

    SHA1

    c7f1ebf2c7d47ecead3d48184dfff314cbe17088

    SHA256

    abfc310c2fe7dd23d664e8bdbe383f16ba424e1775e9aae16690407ef5498e19

    SHA512

    6ad58d67a11766f3b1ab29470ef58ac5c06d18a975471fbc40519c1c82e2a7acb56a6f5875ade1130adef5f9ec2bc8a79684fca90a94dd7c0b37758ce09ae987

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    7021160d1d1850a1df1ce6339fc1785b

    SHA1

    2a848deb9736fc61c4f80683615b83b8d3d70b56

    SHA256

    501fd2364f86f73c72b8d3a688cc05471be4680e1ac98de0606d7e273f716e8c

    SHA512

    87ca3a59e27fdc5fdcb82ef9473ceb61863aa653612d4a0a2e86d9375f88c09baa7a81675faad74374d935f610a54ec22cc95d88b4f3c28493c4fe1a7284f7ef

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    46ab6e41f27ca2a473f361a394b6178f

    SHA1

    fe90af481aa021b2624e4ea4ebcd80f3c36c138e

    SHA256

    25887acb50746a08253cb111854b2dd0152fa92fad085d30c7d9c4ec51c47332

    SHA512

    d43d4b508f7e6cf696ded3f8e46a54e44ae359d574edf5a5c43191d8553757b082c743165f8554b414e187cbcb59fe745b3a998b658d803f9efff7ee950f7646

  • C:\VidRZ\bodxloc.exe

    Filesize

    2.6MB

    MD5

    0bbc4f4b50a0c5f6ab33f16b39c77d5e

    SHA1

    69fb00fa7b166a617183184a00d50a691894406d

    SHA256

    33cbe0f8a1d9c2a39169765877dfef21eab22b5e252d7141ebbe6ab35d874880

    SHA512

    5e122b2f8e139aa0bbabd00dcb70be96fb43b2f2b9afb58b113b9f4b8e43c5bbda6212e7e09f0155194fbcb536f1236d0e62d581472ac3c1c8e018b47786708d

  • C:\VidRZ\bodxloc.exe

    Filesize

    2.6MB

    MD5

    6877b5ba41f86c6e2d5700639a7a1bd7

    SHA1

    3b17d2a7bca0129560270e0c962dcf131830e88e

    SHA256

    694eb8b56bf37fd77230fd3e3c44d20de5770929645e1df6f26d2a48d406a8ed

    SHA512

    fac149c1bac485283ef68b5681de8273df22e366910ef24395847a1f86bd05d2022027d86b35304889febf4e723d46719ade3d02841add484647ab8b8a1aff3d

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    2.6MB

    MD5

    b4c111259130544d31f42525e57f10db

    SHA1

    8a166cc4debdd537fb91ab007021d40bb1bdc5da

    SHA256

    6917841fb350eacb7304b8ce7e0ee661d8113b92c798463354ad6365a14cb7e0

    SHA512

    d056d910bf98ad3c9f7654e8ca884ef22f6cd3c44e25a44029f3a0256c27d8ee4643d9f483a1616331110e3a70aa73776a32fb18b6f86702b52928c947e0a7d3