Analysis

  • max time kernel
    119s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:10

General

  • Target

    aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe

  • Size

    2.6MB

  • MD5

    26234f25757607a2c6e9c2a664b824f0

  • SHA1

    52a21524c60502ac26b5c9ff807d8546d9c1b339

  • SHA256

    aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cd

  • SHA512

    b8d7c5be067efcdeed501c4eda0e29b4e3f8b38a2ec12eae7a1df8857cb13a9da06dace621cc9de397943cdda6e7f01d5c155caa6714b73c3f7b5e3add792ff2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpFb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
    "C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1868
    • C:\SysDrv59\adobloc.exe
      C:\SysDrv59\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint7A\bodaec.exe

    Filesize

    22KB

    MD5

    5e5f77e5a8bba3451205d15924cd85c2

    SHA1

    8dc6f4f6076d3abc71b64626f34bc06239e824c1

    SHA256

    2cf5e62848375af5dfdbd237976b8bf53195ad0533a458694c774a09a1c5e622

    SHA512

    865f8b9eafb8e98c518d4157321733e2b3a01e26eabd18a9260225be73c393ad11ddb23be1bcb85fe39df817842f35624262bcbe170f66b1887924be42e32d37

  • C:\Mint7A\bodaec.exe

    Filesize

    2.6MB

    MD5

    6a5a4422d897e38676ca7d3635d9e34f

    SHA1

    83f66f85e36795555f00e12a635db152f992a6dd

    SHA256

    f00e01c6efcd9f43909ae0a243167bb3fb93eb887e445d45f69474cf6c5d4e19

    SHA512

    b53457bd45d6c3e3f1c910cfef4f089aeaf97bed6b51360b2f7542827b8a6c3cd96c97570cfa8c7ab03b7655d17bd92e2dc87668041de14d21460117ae1cefba

  • C:\SysDrv59\adobloc.exe

    Filesize

    115KB

    MD5

    60f138cd300f13294b0be77515a2b86b

    SHA1

    c7cd1731bb7edf1277c0807cd911af817d3ffaa5

    SHA256

    0a659a158e3344c256b779d2ad141f2ebfd6c34a6730fa482ef602461fd6b51a

    SHA512

    2ab899fe5da955f3714bd50242682eba3db5363b9b495b123f671df45e912e6dd9ddef51561999d24e9f3598188ad70aa6ba89d9ffd935303be9dba3915a598e

  • C:\SysDrv59\adobloc.exe

    Filesize

    2.6MB

    MD5

    f332e5881f656d9faa64de05baea391a

    SHA1

    ce169cc41c22638e6c3f8dfbc27e8ef10e8ae330

    SHA256

    2ebb9e85f0cac6961fd7fe53595b4207085dcdf668c703add5c8e631481fbea8

    SHA512

    29735e985bc2d35652e29eccc66fe73ba628bba6b4b115bc004c1ddfdf92a8f4f513eea2028f3cfe7910076d87452fb4eaabf434abdbcb1d6ff9d9301672eff3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    82a979e3c8b6b96ba66f4b5bfd5db284

    SHA1

    672c1391e0c576ac07c01fdd71f03e36273d3cf6

    SHA256

    5d386740237a9c712ea9b5eda20ca35ebb151a871c27d5e884b8f3e84db5e045

    SHA512

    b8f5209f94635b1e686e8e62d3100a5c8bd5911d92fe09676aa57ce98c62ab8903c6471ba259d1e9bfc77f8710bd7d15bc957728661c29501490cbc3fe76ee12

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    f83b0740c159f43712b05ffe7f6ecef7

    SHA1

    b6bd185bb37739530514e0f56cb6e21bb7718e93

    SHA256

    f8adbf545890e393772519492eb229a09ee54cf472d39b6526d37d2bbd119689

    SHA512

    aab81e44282bf5ecc4f831b8f5a7c73c25c8828532641bdbae6c209ab208223caf43609258cd2e50ac05547395fd8597a0112cac3b4a14d5dcafa61d50ab361a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    689397301e22151ecdc063244e072046

    SHA1

    acddcddcb0caa4acd2a97f4fe66fc0ec9c43eedf

    SHA256

    c0a6cc6516a7cfba3930e89ffa0645ca4769b1607b8c334cf1bd619802e5dd76

    SHA512

    620555af1f0cbcb8274f58a5377b6f54024b99710e1b18b838da0bd9b6f1af1214ada33cbb7b3be4d5d4b2457043156c46d4f2916fd1a0693813647684b4aa8c