Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 19:10

General

  • Target

    1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe

  • Size

    2.6MB

  • MD5

    0f313eb860c87f6747ffb89aaef74c64

  • SHA1

    4aee1be53cf5853337445a419d65b13621bf25a1

  • SHA256

    1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747

  • SHA512

    b35da1b690d99b4ae944a024b7755039dfef3ecff2c60bd594cb1dab06e58fd34105e8795318069ebd0f36b72ae51ed1d95a7da881f5ac0169306ab32359c673

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpYb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
    "C:\Users\Admin\AppData\Local\Temp\1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1184
    • C:\AdobeW8\xbodec.exe
      C:\AdobeW8\xbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeW8\xbodec.exe

    Filesize

    2.6MB

    MD5

    d8728d6f8e024ab728cd38808ee24058

    SHA1

    48cda8ea46be5748d409a8e305d45d9ecc37ad61

    SHA256

    9b73b7b1997081dd2afc2e252c4c9dbc060e3c4e2218e3fe6829276e9e2d1b83

    SHA512

    10ce44785e8a0328f16eadad8ac70f88aff80264eadc559b99951781c4e3bfe591ed02d0bcbe95e8fed878983217c5d6a7c29be71ef89abf155d6c31e805ddc1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    0740b0c2b0c3d9f98231e949b28efd5c

    SHA1

    8d746827579afb6d7ddd5e78700b8c089bb97770

    SHA256

    2d18b32719e2a871e5baff85312cdd7fb063c07a72caa919b95ba65786b6e2bf

    SHA512

    f7b5dce437d1f5beae5540c94b31ff1c911c2f1b86f45bf4042b3587e946fbd3a87a76c597fed9a60d450ef58139bf6ddda2b35a1b8d1d0665177c4592a7a42c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    f8258b0e80b8d34b649b09e5cff172b0

    SHA1

    1807ba777903176b2d6565d10318cab25ac826e7

    SHA256

    ca5fa9c9c6e732246d7315806356fe0e9e5303e4ea5aece6c1a2e257b7ee2816

    SHA512

    bc3345e723c6c96e79211809fff9bf9fc2e96f4ce8912cf17d83730c9f74e4e364973c4e2391faaf83d9cb9cc4142a130d24080c4971eb181ac71a92ffc503f6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    2.6MB

    MD5

    2c9eb9f0a3aaf2b1e16edee8dddbe0f2

    SHA1

    c5d011b37d21778734250cafa5aa757905405bfb

    SHA256

    2a7deaab9f7b087de710a6f3721ed57b9f37ca052eacc689f88c5a035410d8bd

    SHA512

    2a36a8b9391a51095b74778d56d82f08cee5870d61e4b4020c5a971c7ce01d7063eaf43f8e1eb881d6174d8d6144785a4876223576546b2293d0e3f9febba95f

  • C:\VidHM\dobdevec.exe

    Filesize

    2.6MB

    MD5

    ce6443f85384e44847c7e3d326ebb3f3

    SHA1

    bd56fc05a96f74cb0236da934549e8201d480d88

    SHA256

    c93d329d4221672ed4934b99db4ce32c6373b7e85f181b979dcdf473bfedd850

    SHA512

    9964a59868b5f7e12c465cfe2066762f548503ba52c4350d29c210d1f078b75f8701b4a912b57fc2fce089a5b326d074149004f5db903cafa19c5de11e6764cc

  • C:\VidHM\dobdevec.exe

    Filesize

    973KB

    MD5

    9f31003fddf65b850968ac1e9e8f5bc8

    SHA1

    a00af3854436c93cdc028a26e355356c847ef063

    SHA256

    136058570e51a87551dc67d0bc155c814f5b5d026cfaa1600114af1fb897690b

    SHA512

    6d82bd39da8c77a6ccb6bc5ebf218d4e6a76eece97a21503c3d705af8501c1b8a23ab0e2b366a4992d555d7d736645fbcd8f1d031300308ba352fc606acb2829