Overview

overview

9

Static

static

3

bcddf0a709...94.exe

windows7-x64

9

bcddf0a709...94.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 02:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe

  • Size

    2.6MB

  • MD5

    1ef65379fb8b9a4031b68ee839b05fe6

  • SHA1

    b695a9d3e4cd4904747935d76873d4479984c218

  • SHA256

    bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994

  • SHA512

    8079e975bb40e5f3bce8a18f4c030d9da6524b836d5f6e8e1abeed426db7106af54cbbec22344c472ef9080c12bf3e09d7c0b672f443ea29d30c5ae267e0fc05

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe
    "C:\Users\Admin\AppData\Local\Temp\bcddf0a709348bd5fba69137c137e6a938a095504abdf7652a1bde4184209994.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1204
    • C:\FilesXZ\devdobec.exe
      C:\FilesXZ\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3060

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesXZ\devdobec.exe
          Filesize

          2.6MB

          MD5

          f6ff5d1e72ea48d23654c00c02d645d6

          SHA1

          1caeddd31c10ab39a236c4fadb22222c5b1a1173

          SHA256

          6cef530cab0689c150fde5e14bf57e5556ff3116602f36a27ab02c454a275fcc

          SHA512

          c6ad70378e282881506173c76b88477d3d725210b3c5ff3ec2a890d19a10811611236e0d2b98718e91bb0fb0db550004a2f4136d5c758fb15bb5efa488c66a1a

          Download Submit

        • C:\KaVBYC\optialoc.exe
          Filesize

          219KB

          MD5

          f446afe53b104415cb1fb8ff6b87d242

          SHA1

          e192ce81ccf133a6f8e439622fe55b131a331c08

          SHA256

          83a13a5e4a5b36e7a2b8062fc89457f5cff965dfb262de6e700abf7ef2bedaa7

          SHA512

          cf560c5d8e17c257cae4ee2678666e71f5fa5d6ff55be14a39f99b5e2660884b1f39d9f55df9c23852dd04517d64c3970abed126b25677f5f1b96727c9119201

          Download Submit

        • C:\KaVBYC\optialoc.exe
          Filesize

          2.6MB

          MD5

          c5910e4b5077680b35180f7a3ad9ff38

          SHA1

          c010e651dcc43782f966e5d7a43857ae322ffaa5

          SHA256

          f274b206290bcf9de9b205a74491fee549238352afa43fb44c2a2372659f50b4

          SHA512

          bf41f8429f72c5fe6934044297a24b9c9fd8735992d9606ff64df3f68db3b004d09ee4700e9b6f3a8cb486d42f8cd9fa4850e0704cc66d9ddc617afcd16f35e6

          Download Submit

        • C:\Users\Admin\253086396416_6.1_Admin.ini
          Filesize

          169B

          MD5

          924f22118c0724bb1c97ea2c61915a73

          SHA1

          afb10acc73570bdf3d7433f818e68ecc108377d1

          SHA256

          3b17004312d2ac6484dfe6d6c5d19b23790f713f6f94ff38af1a2562cf827cf1

          SHA512

          c4faf1bbe23017aba31267bfa3e5064dbb19f5190f65c2c295f66e5d2d27d9fa80d6c9b38f22dd04a63566307e9b26fac66336c5911a16a99d3ef872b6ea8444

          Download Submit

        • C:\Users\Admin\253086396416_6.1_Admin.ini
          Filesize

          201B

          MD5

          9d6df87a5c6509f2fd2f3b307754dd99

          SHA1

          af53f7f3e663df66245d57d7066ec4bf0437615b

          SHA256

          450ce3370400d1a437704e1d0ab7304bbf45067423f71026175d2fcc6e15ef70

          SHA512

          84fece10fcaaca8c9514404c70d892e92eb6b98174d79c85c5600da113146f08e5e8de7084cc1a2ea905a20012a41e30ed7899862c70d7844a1a9dffdd64bf64

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
          Filesize

          2.6MB

          MD5

          ac6b56f232cd98f326ce7c106c87351c

          SHA1

          990c00267c043f172a9f1e8d43870b2dd776121d

          SHA256

          8b3ba6f42829171a0b9423aa140c57a7946c5602beba34bb2ddd710f951c7914

          SHA512

          e095ab45adc08dcf3a02d121210137407f97441e37ea40b7230ff117ef9147569fbf553498e7c9177cbe0c969aea0401776765bb29697beb5b2d6a07586fac33

          Download Submit