Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:30

General

  • Target

    15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe

  • Size

    2.6MB

  • MD5

    779680a307a34a3c91d2090dc6f89fc0

  • SHA1

    64082c617087cf1f8e5b179e2cf4a3ece7ec6b2c

  • SHA256

    15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448

  • SHA512

    ab1dd2eb9b7d479f8b89181243ef1fa401ea920df6636691d41bc100464ae989fb4ad0c8f0b975e33719ea17c881e21fa7a7aabd6e2f7a43ed6ce3e51c85ef87

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
    "C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2356
    • C:\UserDotCS\xbodsys.exe
      C:\UserDotCS\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotCS\xbodsys.exe

    Filesize

    2.6MB

    MD5

    3a4a4d8840b66fa9ae78da2f121577f4

    SHA1

    b350312aa0d40658985220a5f8bd8f25da7af085

    SHA256

    bd7c1cba70327a236357fa8948003da5889fe33962d87f3d4aebcee09dc05498

    SHA512

    4c77235ded11af1f34e0cc2f1c2ee7e25eb8f863a30c6a23e6afa19cfb9ab045d66605173aa06cd1af898ec6a00d6b06afe3c383d91a5c693bb9180e51456a7d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    8a2b6d3f9f8ceb017044c2cdd227d610

    SHA1

    325214b44483a83f82377883a0223daa9e971be0

    SHA256

    7f2fb295326260d74eeb0a43f9f193c2b6e2361f4367c82aa9458f424135a4cc

    SHA512

    02b100b3d8d5c8bc501435224e8e358e600adc3f850e026af3d99124df883305fed1c7b6b042a1ecf42c512131e7f127ca664d3b8c6e815582626b1f535e729f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    c7123403c7d607b2b7fc4f18187853d9

    SHA1

    2cf2c5789f07c2d95fea9878b36947aa1f3ddb17

    SHA256

    1f4f89f8182546b29c8f2f391f041efe16d7963426415e97621258f8b7774019

    SHA512

    3106c8b3d17f7b5758129373b397acc056e12542f734b71f3021692048df8727a6a4619a55f5d11fec6aae754343bbd1181b8b59c87676fae9fb24b45e1acc4a

  • C:\VidTW\dobasys.exe

    Filesize

    2.6MB

    MD5

    0cac7cacce02f5f5596f5d08d7630358

    SHA1

    5da2db0c35b63b470545c75f0aa8d46992ac8e84

    SHA256

    65efafdcd82e51abcea27875cf1cbd9f15023b8b8b2dc60fbe6908ed260951cc

    SHA512

    bf69d89ca3046dec0c6ca002c7a4917bd961831e8f24d135286c84bae7da4f2b28b4b8a24e280b0f243957d1669a1750ed3d92f28fb08c7833fe73adb8741d1d

  • C:\VidTW\dobasys.exe

    Filesize

    2.6MB

    MD5

    467eef31be94831d5bd6003423547169

    SHA1

    d18b8350c7273b5115ea0bfa5d60acffd9d43649

    SHA256

    68a58789cc93159291b04b19a4d2e676cfe93038e25b8385aab49b5b4d4463ed

    SHA512

    3f9b41f8048e7ad66417c822b9d27eb35e20d3912019ae418ee7c1eec55441dcd4d200897063173ecf70437e7a7f2d20f33c5be924018b383e9145d093686c42

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    f928f5cb35f3f802095503da21f17900

    SHA1

    b48edbe9c7d1aba9eb967e5ceb50b02daef6a4e3

    SHA256

    09817acd5fa05786ca92decac46bb92cd94333807b764b2a3c12be7a714d332d

    SHA512

    1a02cd9b9be5d5b8099c5a6f5a027ef311764d0935149c6eecfa92338f0b5de0c0d08d23d5a3789ab646f516e01a97ffdd28f2c8258f55ae70d7dc6c085bc54e