Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:16
Static task
static1
Behavioral task
behavioral1
Sample
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
Resource
win10v2004-20241007-en
General
-
Target
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
-
Size
2.6MB
-
MD5
3e43ac79893671e60cb51956afb88c6c
-
SHA1
a0d7cd7729b11903f090c6aef75e7d2dba4435a7
-
SHA256
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130
-
SHA512
da1abc2d4b99707afdc13569ff02bcbb440dca4f8eff4b53c59edabd9beb48140ea80130e4d5302a8d678882a5ae69972b19774c3d41215c456ac494e2b0c360
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSG:sxX7QnxrloE5dpUp1bv
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevbod.exedevbodloc.exepid Process 2052 sysdevbod.exe 2520 devbodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exepid Process 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6R\\devbodloc.exe" 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIN\\optixloc.exe" 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exesysdevbod.exedevbodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exesysdevbod.exedevbodloc.exepid Process 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe 2052 sysdevbod.exe 2520 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exedescription pid Process procid_target PID 2344 wrote to memory of 2052 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 31 PID 2344 wrote to memory of 2052 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 31 PID 2344 wrote to memory of 2052 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 31 PID 2344 wrote to memory of 2052 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 31 PID 2344 wrote to memory of 2520 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 32 PID 2344 wrote to memory of 2520 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 32 PID 2344 wrote to memory of 2520 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 32 PID 2344 wrote to memory of 2520 2344 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe"C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
-
C:\UserDot6R\devbodloc.exeC:\UserDot6R\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5461735ec337ef851d251acd66cf9098a
SHA12028ed86cc9ac77dc4d70636f56138a50cf3cab3
SHA256faa4d3aa5d00b32f9b3c36d0e5b298fccd52b464d3402ade1c90e527b9c0cc45
SHA512034d4179fd475cd43d71613d780bb55a1fb169a203cc26fb715f7d930c7628beb7e68ab32a1c80d8deda12f65285def623240120427a7b5f96b92ac619762fe8
-
Filesize
2.6MB
MD5a03ec0745cbbf87b4b1c84d0d3384a5c
SHA15c230b4983a27b6c5ddbfe993dfec24a14a9d7ae
SHA25619911e8025e3ab466c27a76521992e79a0f28ac56ff0089bcb31da397b748c7c
SHA5123e3ba0e4f25e040df3b58871a30c9db170a8ea87bd600d68c226401fe8bc664896a3ddeda52fc04473c805f16a4a108d2af2de2a05965a9f2f99a7a769b85e0f
-
Filesize
2.6MB
MD5c443e1f50796bf14b7888622b1266cf9
SHA12f473d989f134edf868c9b660e6687bc71cf3a54
SHA2560f4d59d4ce749c923bfcc83ceadfc7f14d9eb74f4665834e5adc596c406f1393
SHA5127a2c295bfa8a8d31f2ba8c510cccc9f88fbc8b634c9f5d6b4da2b04f2840a98924c3a48c2f90cdfd05405ea1ba5c3f6d7ea4f304726d3880a4a3ff343d36b1dd
-
Filesize
176B
MD562f3c5d569b3d35a5dad1c79887165a4
SHA1b5b95e8f64794d6b19dc3260adf6f0aad05aedbc
SHA256d7d50f02b8d873e56b25af5ed21ff198c107c3167d4c85712b7f5916a46a72cd
SHA512142702403a175a65a674413f7c3263f699d67fd2f37d1575b4914e7ea7e68a5a7ca0ff9a8542f6bd0a53a1a6a711d9ab2843db150c560c351dad3c04409e5c0b
-
Filesize
208B
MD5e30433dc3e02c459bf4ea83f545b46ad
SHA1bd80a5c9d507d114760d128b03766897b1c6be40
SHA2569a86ae7ac5b712d915e2903b74bc48854f37691b425184faa4a25bd9585cf74b
SHA51244da8e4d6ce0616680d2d5840d240180f4ee856d488d16134b7634069346e6b95d8fb2d1341dcffbdb2245a7c557b73790db3b58679ce8310d0e93b0dd2f6864
-
Filesize
2.6MB
MD57d9750054f64e1f72f58aea970b712b0
SHA11174d5c52e457834a6cad1522a714bcab1245d5f
SHA2565af8e7af584d36c4a7b841f32428e83539008140aad0e5af10c2311cbcd758f5
SHA512d089e014c20d8ed1edc615854cfd1475131059e1508d5a508dbc23d335363d222c7a7e9cccc9ec01417e6c838954989aade712a9675c7736caf2b7272ffa0906