Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 03:02

General

  • Target

    b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe

  • Size

    3.9MB

  • MD5

    5348da2c63a0193d370a7da78fc3a8b9

  • SHA1

    69a1ebda52b6fdd73cff4b646c336410dcb6ee3a

  • SHA256

    b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a

  • SHA512

    88230ab1ec96238f6321c5b2a6a4f5166be9da183ba4d075c5113a9187d24c685f91f8571cf0ab66f751104e36a73cb6284a6dd9b3c676316d91f4fe392d79a4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpfbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe
    "C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1580
    • C:\Files2G\adobec.exe
      C:\Files2G\adobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files2G\adobec.exe

    Filesize

    2.8MB

    MD5

    cc5ef4d7d290241e34db344d87ddcaa2

    SHA1

    11522ebbece13d79935ad6ac540f87f8b4af1d75

    SHA256

    d333ac5ce4c7500d1ac7913b517d6b944197cb712cad5b02a886e94dfd103bf0

    SHA512

    469ecf60854d8db3aa33ea73d7d79da91f90c912a65e7bd05cf08e8eb8b047b018c701c3bb9ff95c407eb747eda1d2d00f3385b8713e7cabadaf267c8e9642b6

  • C:\Files2G\adobec.exe

    Filesize

    3.9MB

    MD5

    dba575ff5988a64822fbb9b2679e9550

    SHA1

    2c467244569bb98eb1f8809ef2cc59e1f83e5ff2

    SHA256

    db26523f997216b5c2d8b1a818d81fabfc6bda24953beac4b4eb6de52355672b

    SHA512

    5f6999e08ebffc7adde561eb239b647a0dd12b6c8de5c432572b55253acc65f64d220c61f4a4b225ac34f6ac52964e5d4300b9252603005e0ca5a95ee93cc814

  • C:\KaVBQM\bodaec.exe

    Filesize

    3.9MB

    MD5

    23647db45c46fd65b7aab98eef0783fe

    SHA1

    7555ef5be0b56b0d3b6e5d9234500047cb01cace

    SHA256

    6db1bccff64f57515a0b4f1c15a414a6a845a82a67b66b80373afabe98461037

    SHA512

    685cc6969f1766561d9e17956157060dcfcda7847b790a65b9a3e8279765b3f7f364eb95e5dccbddc953c7a7f12c739373e7aa273a39a81bba1483f22a7c0cac

  • C:\KaVBQM\bodaec.exe

    Filesize

    3.9MB

    MD5

    4d6e2ee4821ec834fd9b0e093dd1cb26

    SHA1

    a7bfaa8ab526fffec3881732625b759e63c562a0

    SHA256

    2fa45d28fbba1e0f9ee1188db3543bab215bb1dbda291e12926473d54c0958b4

    SHA512

    5d4d9d75548c467647e5a81b18a78090ec6a576bd77df660ac366287570cf0dd4c9e4e2376b35f3bd029ac0167347ad8d7f41155851fcd2ca5a1a351748ac149

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    98fe53d103256420fa2d513d68954a97

    SHA1

    cf80c03d024a220adfc015e8f524bec282b38cb4

    SHA256

    1a5a465b62c0537d0701ffb57571b888626577134b6c55fea7e37b84547ee78e

    SHA512

    70dfe867f5a4b726ef819914c55cfa1b309a8cc530cc850da3608683092f95b33fac1005b5740fe15dfbac92af5bc7528e654c3e6b7a5571d4d9e90bdfcb5860

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    4216912a12fd4011701bf1be74e60616

    SHA1

    2a20378703f8a2898dedecb637328e6ecf3981ae

    SHA256

    c632abed9f4ef7392be05d8fcae72d718ef62819e131b6eb19a1670838b1c8c1

    SHA512

    e7296663eb5ca8e5cb49396891b6ba8583dee057defee27836c8060d36977a6b8115cdc00b14272dc7ce338877a2068491a7cddabec080e0f6ca566271385224

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    3.9MB

    MD5

    5fd621765922e590c4877db4fa81acb9

    SHA1

    4b3360cc9e7003cbd0473fc2e03f3f399f421567

    SHA256

    e90d12847f1c2c37d44ee399128c4708e890e4222ac92d0ed31a2d8cf3c3df92

    SHA512

    beec1169b41a282eff6390df53ec9930d5ffbbe70a93e318600d53ec2f182692ef12018a35447b1408eca9ade2f27cdeb3401d35b51b8eb89951f48b556897a7