Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 03:30

General

  • Target

    30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe

  • Size

    2.6MB

  • MD5

    9de6fa8f790d4cc461b260907f377ed0

  • SHA1

    87caef779744371cc0f5cb9a2ec912f5b6a9f80d

  • SHA256

    30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50

  • SHA512

    c19917e2a5bf5a9953e48e7f0e4d30c328cde4094425e2090be0f2187e7f935325936e6aeb66b1e0e6c4542865f6a4985b08b06a3967d5e43d5b8f257085d1ed

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
    "C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2696
    • C:\Files9A\xbodloc.exe
      C:\Files9A\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files9A\xbodloc.exe

    Filesize

    2.6MB

    MD5

    814039714f546629801b3047f049a201

    SHA1

    b84a1cca1e97c89b0804b532465c841d896010e5

    SHA256

    429b29eacb036167712437df4d73d7853a23908e8869851d12ce86026cb74c0c

    SHA512

    388d247e977dafb4a549100d415cb5efdca2c5b984bc49438fae3785421edf98ccdbd7accacdede165facc6b97c39811674af4fadf42575cbc75e5bb9f600c80

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    60151bbe6453256c273a81b6ba25146a

    SHA1

    46e5f038c3e30ca153cebc9e53a680e44faba881

    SHA256

    7db7bc0c7179b17a9799eb73b9fc7da340b6da90b04a76614d149dbd1f7beea6

    SHA512

    ab055009c3ec3ba7dcaf6b97b189a593ca7d9441a7f83279726f241b7f54a4a0499c337f5be476e4bb293ea44364e58b6b451e8692cc31f7cc4bc288b312623d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    478a7bc2b9f9478fb3850f7d8e89c557

    SHA1

    b4360a28f1b6def3490fd4ca6c0e5b3e74e679a0

    SHA256

    3d153829e970f9e58d3c73428552a0d5c3e2968500e7c42a892b8085963cc2c2

    SHA512

    63c11c270fa1e36611ed874be000d791e4ac40322e463ef2e579541e462def2f01f802dc2127ce92c027fac2e49bfad24825b9f33e747545f11a69d47d8783e9

  • C:\VidY9\boddevsys.exe

    Filesize

    2.6MB

    MD5

    8662396c1e4afc713b01501c42900ad6

    SHA1

    45a35d02a58869d6d3b27fe7e22bbf320df3e251

    SHA256

    b43ecc3f6730a193130ee2b7fd2dcb6b913006b28bf90b214f4f79d29f813704

    SHA512

    0fb09ba191ed0133b8eb83985e7334b3f5c95223827d75ab22f1ee9e8ebfe68554a0d843c7f31c151f8304948edcb242d72cf2128bb4375890a964efbe925307

  • C:\VidY9\boddevsys.exe

    Filesize

    2.6MB

    MD5

    92e7358bd80e3bcf619adba852d66be5

    SHA1

    cfa209b6c36d616a69dff3caedaade4b929d0e8f

    SHA256

    fa916b3e2e03840e3c2fd856ec18b9872450bc1a872c9b291769caffcdc7d41e

    SHA512

    7a45d20f377b3f770bfb55e15e6a8ad92c9c08fb32aee95460a485dc20e9d58a55743f1fa56e380f53d44b86d6a1c5c563ad6f0119dde45fa12ecb6bdfff0c42

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    10b0d8cc1ea309ddbad132186b02a24e

    SHA1

    1a2a3d8a89a6dfbdd361cfcd443f72814d226c41

    SHA256

    1bf9f6560a39e757ed45e976cab948004fde37c6fbab457bcc2d80ccdea329da

    SHA512

    fa0175317c2170c19eb306a931444c1047f99490cb2a6b88fd943969354a1883bbd4a88cc9383690fc4a38030aec8138846ed9e26a8f0d29fc886e4229025a18