Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 02:39

General

  • Target

    ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe

  • Size

    3.9MB

  • MD5

    913cbc7960bb52b182613064a135b7ad

  • SHA1

    474902ce8d516b979bf4d6159421d593ddc06e4b

  • SHA256

    ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8

  • SHA512

    e8811cc8146fa9adb304cb2eb149d0b009e7b413a05585eb91ef91d35d5155cb46eef0bb28d3b4b1253f058e01f23d8da48a2f0d38f2f85c979cbffed437cec4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpibVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
    "C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2140
    • C:\UserDotBJ\devbodsys.exe
      C:\UserDotBJ\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZGU\boddevec.exe

    Filesize

    3.9MB

    MD5

    3050c6c6b59239af083247c88c2995d4

    SHA1

    a4341770d34aa692bb1eec935b7a0009d8e4098f

    SHA256

    fb162b0a3281e41c730986c01b5d8ab2f6f9119ce85910d87149914262ff5d40

    SHA512

    4cac03e8cfc8f1699e198cccf81f5d1537fb71c2e7554bf5018407335cbab48325bdabf61dfd263f409df1223eb50ffe273e5cfb99fe77425d5fcb2bfc1486f9

  • C:\LabZGU\boddevec.exe

    Filesize

    3.9MB

    MD5

    9daefe502061561d173abd18521f0c7e

    SHA1

    ca5386402e44c7fffa5f8e666c85be0f211d315d

    SHA256

    1a7a78c5c66ae4a9b91750647dfd5d3a50c84c002e51a3790adb5973ff047f1f

    SHA512

    c5175d49640e152f72e31268003dfe09480860178f49ed2e7780b77f0a485014b723e02801421ee16038da7c9e40325522b56ace28307df6958b4b9395e119dc

  • C:\UserDotBJ\devbodsys.exe

    Filesize

    3.9MB

    MD5

    eff235db029209b89e2ccb037129d871

    SHA1

    b8c9e21ab8e513d38b91b037460939e7fe6db370

    SHA256

    9ca52bf90129783e9e32671930f257a6cb0aa61a6636d057da2446f9630f8e35

    SHA512

    9d26ba7254d027ab54a713217e6e7908b7146d74b3f1a3742e04199f86b145a2bcd6b25ffa4fe7f33baf130b71b7376d234da298c452279ed75d34de30e441b7

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    22684f0befcdcf3e68d84f9ca722f149

    SHA1

    3385f78e883dd90f03d21ac1c9b11c56ce87c0e6

    SHA256

    f2e9bd9574aa17cbf3b1f1d7edadb3b73527411bbf491ecb6b7e3dc691a9ae86

    SHA512

    aea6764684774398e96017f9940f67506cd04c1122df2f084c259fd7cab114bd114dd70c4bb38f01c8b2a88732d569a6d364508856a2c6b55f61ea9db96f1e16

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    058d52c87478916904ce501563c12f09

    SHA1

    0c211f3ac1f9866bc8b7bc070c19845972e26e28

    SHA256

    3c6b308b6044a2eb9f9765e0368999c12d6b312bcedaac2df3392f8c50667345

    SHA512

    5334794d0046f670f45e1abd8765d65faba39932924ab8fa6fcd19fe61bf082a158a903ce1c0a2dc2b221dbdf3ad4802c54743da0e63ab3f0eeacdf6b3ec0060

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    3.9MB

    MD5

    147cc195c660eb9fca9139c377cc1176

    SHA1

    6e146ac5461cf8bf12de67e3b6458b659d40af45

    SHA256

    61d3ac1bdb79ee4c94a64e9925e545639bc58280dca7bc79cf17d63b5d534b3b

    SHA512

    ad25378345d0b15eb8e836f8d65ce07497e2bd4573782b8234b97a8b5af7e7ab53d7a4a5f403e2fb183c83c2c08e0886c48f2653fb5187b2a151a4b59608fc58