Analysis

  • max time kernel
    120s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 01:52

General

  • Target

    498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe

  • Size

    2.6MB

  • MD5

    a15549388e8505b38d0cbc086ab21650

  • SHA1

    ffd85f890273c73fe210f5c2feb0008b853c62b5

  • SHA256

    498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21

  • SHA512

    1973395607f23f5e2face253dd5bd8cdd8c830ca589263628b0b4f83d4828911a4994a5db9621095023b1360414a976a05c73b5aece9a8528ef30b486c317d0f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUplb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe
    "C:\Users\Admin\AppData\Local\Temp\498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:244
    • C:\SysDrvY3\aoptiec.exe
      C:\SysDrvY3\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintC3\dobaec.exe

    Filesize

    11KB

    MD5

    3193f6732970f64ca3094d85171d7380

    SHA1

    0d2f450337cb69eafa727d6d6de40feb0750ba1d

    SHA256

    e09faa78045b943266c903ad6e7b69a1069ca062bfda7c5f794f8e9e7eb9ad9b

    SHA512

    b23afd97dc8f9fe6ddb53b3a780345bde4ea50f989055db34d69d243649f4b7cb2c2c4429e9fa318a396fe363aaa923f2c261ba475390673664ac4fda7c5b3f8

  • C:\MintC3\dobaec.exe

    Filesize

    15KB

    MD5

    10e6df3619bbbd1a2464d5000a56fbb5

    SHA1

    9080f324c059847c04fbc434d62d8ab2e06140a9

    SHA256

    e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

    SHA512

    9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

  • C:\SysDrvY3\aoptiec.exe

    Filesize

    2.6MB

    MD5

    8cc4bd9e962da8395dfc84d95db6b5b6

    SHA1

    85172b77249150f85432fccba873bcaed37fb278

    SHA256

    a1d5c93fbfed913c4e91a0f3c266e0c622d0f399dd1718915d9fadb097a268a6

    SHA512

    33cfdca24b25a380b9d99cdb760042786fd08fd2ed2d4c3ac76119145270e3f3cc16511f6815703bf93516195475c6626f8d0c6ecc4c0b876a5f0c3529d6cba5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    1c3b72c83354d8d32854d16e09abe458

    SHA1

    16e98c1ae540627af7c2782718c31bd0dbaae99b

    SHA256

    d2f8e59fc40158af7ba25f8dcc467d1764c480a3a30c8a35165e3ab36d6d3c91

    SHA512

    98c9d575ca1ba257f5f4d23e11c4c139e3efb0192bd50587f255fcf6f29a5b1d5e27d83aa13d9732a2c8a9121c13401ba531d97929b5e7d23fa68eec2b2fb576

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    a7e8a056eb2ea6544e554cbd4a351ac3

    SHA1

    30aff2072b3bf16c7fe0ae73043c87c0dbacf221

    SHA256

    4d147a0e80b9727c921f66143cd30ad16ed7e61bdf6f430fa2f356ff2c072e1d

    SHA512

    41fb8a838ed6d423ebfc4289084f4750368f80eda0390d55a4bf54d519d598492ee37dd512b046c6244820f97bf8efbf0ae526d0222295d7a8eacf258861366d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    0d77f950040263a86f16d19eb4d18c70

    SHA1

    35de10f84b045a6fbe924320e2e2880fb8524a21

    SHA256

    281aca67e6742dc7798067674aace57d579696613c051206ae61b2778cb3fe9b

    SHA512

    10c00e91e0b77413be768f4653ae723dd17d93fe29c7e3da7b35f2158b0a3925e16e2edf39def01ea44a9365525bd491441a0cfb980b485fb1f92c9dc5f07b2d