Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:34

General

  • Target

    f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe

  • Size

    4.1MB

  • MD5

    8f466d4abf03a5d6f4e88699db920637

  • SHA1

    9664af2358342eb7baa0ed5b8596faafbc570d21

  • SHA256

    f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680

  • SHA512

    e760c6348b5b6775a31a4c6b73572c5a913e295c3f7f8ab9e5f9a3fa0b0b41b3631f298bb1126654b45217c3c47901b9b5d9fd99fcef754abdaa13ad5a871e36

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpdbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe
    "C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4628
    • C:\AdobeLQ\devdobec.exe
      C:\AdobeLQ\devdobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3668
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\AdobeLQ\devdobec.exe

      Filesize

      319KB

      MD5

      154968e9ef005118202aea2b1d05fcf9

      SHA1

      52b21a6910b967ef36b2723534904820b5f7a906

      SHA256

      f7bb8d36a9ed17856280a0427107018860c93cef430deb49e4eb57918830997c

      SHA512

      5adbca246c05550bb2486952832eac7e9d0a38492bea77c3d5bf084bd853ed602bcf4caca61b32d412f58b1383a779ee1c07c28802fdc23f5db70cf4399bc8fc

    • C:\AdobeLQ\devdobec.exe

      Filesize

      4.1MB

      MD5

      73eda3a1f5fc4555107256038f979c04

      SHA1

      8d8651f11195467817a59124a2e9a93fe2b56051

      SHA256

      7db57fef2b3fcd4e99a5668f2352842880951523344467bfa94f52a609567607

      SHA512

      8c4f7b0e4375765d9cd500fcbf8141d664ea84c271f2e2f6373c809968eca00056d2502ed9f6a2ce32aeec1c9009eeb8d25dfcdbae1711d65efa2b67c6d96d51

    • C:\Galax3P\boddevsys.exe

      Filesize

      4.1MB

      MD5

      2359be6e30cf56ace6e358faf1958993

      SHA1

      faf96a0ef12960f8d54c7be81734f91ede2d592b

      SHA256

      c204e04062455b19d8a601a70ea7c883cf15c7c4d7bc0b2f614a57367221c2d9

      SHA512

      10f296837961438d78a8722be08a18bf8e0b1cca06330f1fe77d1d5b99c360d302a39db0d9890c81ea277695b7b711810903c32f4d7bcbdcd6afcebc0fa34502

    • C:\Galax3P\boddevsys.exe

      Filesize

      3KB

      MD5

      1277107cabcc016a5fd1f1042e36a2e3

      SHA1

      d7f8e8f7a16218d6bb1dce7bd03617500801eb78

      SHA256

      8e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273

      SHA512

      f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      205B

      MD5

      742e89c8bc8d837b56bdac9a17316dc7

      SHA1

      3be0f683a5a829c8afb619de37dc02f57f2f1a3b

      SHA256

      cc5b61473a514a5845a88d41fa190200f77b468605ae1fd71bbd4cd37266f1fe

      SHA512

      d33315bcc2cefffa054124f02796f1edbed1c82df0ce43db5f8d20d9f21acb2e41c0babb23caec640e6bdcc2423a8a5f48983cb96f406f3b998ead549400615e

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      173B

      MD5

      52a1ea14eb78bea5bbde55e2da97abe9

      SHA1

      29587eba683fea4383a459ed1dc90259707f776a

      SHA256

      9fa8ada38902945f312aafbd7550fbc27fcf09fa5b2ceeee38f432b36684e2f9

      SHA512

      c82be58ceb1abede5678f4734305a46ad22c05d25fe98781e1332afef671cdefd6bace3de8d77f73e6d0050908765daa843efb9d822c71b1b723a22175e1f733

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

      Filesize

      4.1MB

      MD5

      f35808f8909b7f28ffb345472e55354c

      SHA1

      286a07a3686ab42d84bdd48dff1ace6a837839f9

      SHA256

      c3eb5f1327f911f92b020c8abe439d41ff93f55150adcec09696d7fb7a95de3c

      SHA512

      822311352fc279dc9662147924f4b6f936fd2e0d1540d3990812912f668398dc981f942f137125d174117961005be5bc98d9fd7bc52b948144ccfe2a68e3fd5c