Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 23:17

General

  • Target

    72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe

  • Size

    4.1MB

  • MD5

    882d05386b0ec3c2e19df624ce93281a

  • SHA1

    6571d0d1042a60e97bf03475be21194437141e28

  • SHA256

    72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0

  • SHA512

    f0519071499f44f974f463af623fff32c8d8c5a65ca23feb42a3d1494396ecc758baca5fa26e7e0d80a514395c24409fde597b54b3300e0054af27634e34ea4b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpibVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
    "C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3780
    • C:\Intelproc2N\devoptisys.exe
      C:\Intelproc2N\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1592

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Galax15\boddevec.exe

          Filesize

          2.1MB

          MD5

          9ce8a05d4e7545d8767fdb5f41ae20eb

          SHA1

          d28d8b70dcd539aae11b5009151a00a552313b91

          SHA256

          346fd158e582503fb2956ef67ca73d6bdc59f3a88af49be3d140aeceff6c6981

          SHA512

          b2a3299200ed06f4c08d5ef57fabdf7e0e59deeca81dd46239dbef77f1a8c9135ac2f01b1f27ec15b238b0e727c200e17896b1411aae80bbb96c85195c8f4d5c

        • C:\Galax15\boddevec.exe

          Filesize

          4.1MB

          MD5

          f69aeb02f45137991ed81168245b3f1b

          SHA1

          6bb2c0ea804f84c3a0591623a05c59b19b2cccca

          SHA256

          afbe12083809699acd7df5003213f84af4d7879af0b2c1eb1dc6fdc1c0180552

          SHA512

          6c496cdab78620ff6b0cfd548a3d0bd216f99c709e0c0fb3e8902f6f01b94c485ae1f2cbe879675831f4dbb27b8d6b677589aca7abab28193f9ff94f2571f528

        • C:\Intelproc2N\devoptisys.exe

          Filesize

          4.1MB

          MD5

          d95dfd47892d77cc18928a016fce804d

          SHA1

          0beec5057ac6a64258953590a06b36e0cc58ad23

          SHA256

          91ae5b3abb24d72b42bb1197e7624947354c083041b074ac5bdc99889746d2fe

          SHA512

          102fa89a141b9b3e6d1377e1c9a28d56b9c2ceef559daa9030416f7939c8647589106a2156cc685f05eb87a2d647db2c788e313a7b3eeb0221149e8f07219f24

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          208B

          MD5

          dad9d8944835aad210d3f78616322ccb

          SHA1

          41ef7ccc6413995d2b0f4c11915dbaf836c5fcd4

          SHA256

          33f192a3176c41ff8d2de6c4f121fd2ac4da8e38cc89caccb1ec4d3b2b66afbe

          SHA512

          97be59999ad9a00e3f0a3f66432b7232ba85d351576e2d7dbf78f499164f003fb2fbcde9994707e27248263a414c18f5c4098f40c9c85039b46ca287c4418b74

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          176B

          MD5

          528cf5756d873cf82b92f12ae0944fcb

          SHA1

          f33f792d7acd5f6dc275665505b91643b6bceb0f

          SHA256

          bc7ae57e6f48f3e2cea6a3c52b9a533c52aa1582df36c288f2866eedee819ea2

          SHA512

          29513640aa16c5f09f5990a75ba07ac6942c82c9344bd743d5dba5ad1f6f0a6fe0d2441826502ca30819650afd4031c3e1bd9147c38137a31e531b63ea2d6c2c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          4.1MB

          MD5

          23cf8b3e77450549a06bf1abdd385136

          SHA1

          225a7b46ca55851ab01de9d62f3d00261c58d5dd

          SHA256

          e98c73cd1ac53082b1898cc765e41e54d90d295afdebf431e35823b2b7dc98c2

          SHA512

          b8d964e0cfa8115c4d536d9c2034da9449e09447c525f013e9ac9cf9b4e74bb295fca8b39b45b9e7b10b8ee51c8d12022ee9e8213eaa2ec8fed0442502af014b