Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 23:05

General

  • Target

    d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe

  • Size

    2.6MB

  • MD5

    af4e02c1ae0d33b078cec2d88ad2d5c0

  • SHA1

    ea2627cc11ffaa4c76257382aa820d04cb804c8f

  • SHA256

    d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616fa

  • SHA512

    f13586399790e9bc542002393ffc77e48ffabc21ee487fc6a523f365557060306e35df5f0e2ce2738821e5d7a7c00d07cf6a41ae692acd6034ee03a3a7680bc2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSq:sxX7QnxrloE5dpUp7bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
    "C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2108
    • C:\SysDrvIP\adobec.exe
      C:\SysDrvIP\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2264

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB2Z\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          b344f683d47b9ce9a6b7419ea624da4a

          SHA1

          60e6208426015932e2514881b45b9aae02ed012b

          SHA256

          abf5a70b7dca72f8f59c2efea5c14863d8c413f1e5ba859a2f8ebc0edad42f4f

          SHA512

          f65dd36b9bd9c284013bfe9190f042108cf3b6ad90e1fe984673f63a7986dd8991b38c78e2a1295d0da8ee76acf48a4a0b586b68932aaaed56c9d1eb7cc34486

        • C:\KaVB2Z\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          f0a78b1e29ccc2a158eeb19862bcc6be

          SHA1

          df2aff6d92ce9ba2379cedcea90d91f330592b27

          SHA256

          93a5821dba79846495d515efd307250067d0a9af35125a062ffbdaa017ea1442

          SHA512

          83fad5f7f8582f0ba46c44bd446ed59537280262e5f66dfb66aba108c5bd1b56f6a1b3b978992680ad025774dde3404eb1a98c4bc5550961142014330dbf2bb1

        • C:\SysDrvIP\adobec.exe

          Filesize

          2.6MB

          MD5

          73e2dc40b2529d4b5937bc83e18c40a9

          SHA1

          ce6704628714b8ffe0bc3ce3b0c485ba19b8b1f6

          SHA256

          a810b8b2665c51b77da727b8043fdf20a627c07b8ab7fc8296dafc6802d250cf

          SHA512

          dd1431cb6963e657392ae9fee6753046e19941810836cae43b6d3e3725eac5e0911b495c66b4dfdd1c6612c80111bb957c8d95449217fd4d279e9254fd15e8bb

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          4ac585dd1e95539a8a77c400bd1232cf

          SHA1

          5befdc6bff53b8a2a55879a1a775dee918b2e935

          SHA256

          e738e9ea0187ab568187cbe791c96e139826ae7a09606d42f21ecc35ed7436a7

          SHA512

          7de9850558c0086e0b393ce22a47561cc82746c7b3f91cf26ab076409576bea556997d15126c32ca9c2cc228a4ce3f151701221b03c20259f35fcae90bca0f6c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          58952ef1fa808af00f03f5b95752a646

          SHA1

          ad3fe5f8bd8d4d477b4f25c68e1674ffc4a42844

          SHA256

          ce41363ac900911dfb9ceef2a5e2d4338e6cb7277d264fb0f2b453a32200c0f8

          SHA512

          d3f481e737f9fbb29d9ed17b341a0322a759e4d3e0c9fa08bced89e1b88127c34a219f9ff0411fc12435026a7f20fa9f46109fb7d70967fad678690fd499531a

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

          Filesize

          2.6MB

          MD5

          4652aa636876a226355f8e175c68f2f6

          SHA1

          1baf50f018f0df14eebefee217b46872ed0c55bd

          SHA256

          fc9036f2a9fab21be6674afe9cbef8771b1f1d42b98ee1d5ebd0cc333e12bc7c

          SHA512

          f37f1fbcb46f77cea44d26d2654082393d9138572cd8f45d3d75264072cc1a18c1cf3a54dd8a5e10a9aa66936321d7bd1fd9ce1da0ea4e5ec5e8c83536f52d33