Analysis

  • max time kernel
    120s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:56

General

  • Target

    9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe

  • Size

    2.6MB

  • MD5

    715576c05f35bc351aebaacfbc5f6b10

  • SHA1

    5fae5b27d815c649e98403034a213e25a5e020f8

  • SHA256

    9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0a

  • SHA512

    4edfdfb9e0771d120f547a9ce5ad74b3d90520f74179f49764e6ef8e44c4b1f38773476fa36b5ad880b56cb3eab2a63b216f5c9d9a408ecc9c2315a3c5840625

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpJb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
    "C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3956
    • C:\IntelprocP8\devoptisys.exe
      C:\IntelprocP8\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5000

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocP8\devoptisys.exe

          Filesize

          271KB

          MD5

          0a6404cc3bbf2135abcfcc84ea75ae6f

          SHA1

          dd2774bedaa068ae4ba628c84c16d08063047bfa

          SHA256

          f4fb96614be3ff20169ea1700f2d1a9ee42643b7405fefb3fd6cb9e919b50a46

          SHA512

          a536c2c7f7c108b6f224324dcf6cc2e13a80eaa6759b3f15e6b1e8588fadf1ae1dea2b836acc9c3b3a1acbc8b775a837fc45f6415530e93f328df0869409f345

        • C:\IntelprocP8\devoptisys.exe

          Filesize

          2.6MB

          MD5

          a04b09f03eff3192c60700c54901ec0b

          SHA1

          6c3399d1da12a0312dc05fe95390d8761acb78cb

          SHA256

          b660ce4aeb3336d9309c3b4561615cc954b342a7cf427aceb6472c39760100a6

          SHA512

          d7c6f1b954fdcf1f867824d8e98aa30b39595ebd6ce75048220d0ec9a306feca7a4a0f6eb0f0befb7d4f8947ae1c6599316cbd02ce85773446d31287266f08ea

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          208B

          MD5

          785c54c5d24eb900c7fbabfd93ac2250

          SHA1

          1af2ae20cadfa75423c0142ede5c327cd2e5c268

          SHA256

          0aad6d062df8cab5131fb9b7c21f629114de9109b67753ae829c96ad519a487d

          SHA512

          c4e45ac62fe63cbfb14af8bb1ac12657ae54817d7fed4c3444517f82d8391fb33bd07059f2c7250c5cebd7ae5abeccf389fae50a8a5860a3078f6fdaa41c40bc

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          176B

          MD5

          fcaea7b76b0e21bf60930b4909c0f057

          SHA1

          9445e986c1c73656279bba0e4cb22c35f1724243

          SHA256

          b2b72fb66b9952d800fa3cfcb0d34219d17396a8d32398a0c1f00e5d40a12472

          SHA512

          617abd0b56acf5605c0382306d2c8ef34e7f9e18cdf19a77f9b03e59eb918f3dbf62307856d7a95f8b65797c5934d1b23855ef3b352c2c03bf6f50594da9171d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          d9355b932a2f3111c0a844777417eda4

          SHA1

          35dc36a0a4368e52d47d1d0f6cf6aa0654fc3a42

          SHA256

          a8370d80f6adc6132d4323af460a2939819e25c70f0ed75028c647a3803c9be0

          SHA512

          8e9c5ee9f143abc570b1008e0edb62ffc357ce61c58116614a3bac3d485fe5c33e3d0365b28ed938caef29d76bfa205bb920f2d4c6cefd0d8b721511ec9bfbe6

        • C:\VidXX\optidevloc.exe

          Filesize

          2.6MB

          MD5

          55e5583b4ab728b17c5b3939ee6edcea

          SHA1

          72522072be08beb75fb78497b1a8cb28a12a5f14

          SHA256

          bd991b1100364fe54837dadf697935678b2d3f8ab6a68f900f333d2b9b9b2425

          SHA512

          2777032158ecfb8d3ed613b16505564a3ca37c0ce7eb7d2c51651345b4de8c5e2bdbfe99d8a4198cf689200047e9891c67fef952c70b32977fd9753df00eb782

        • C:\VidXX\optidevloc.exe

          Filesize

          2.6MB

          MD5

          fcd715620aebe94a77fca5e29bd4db67

          SHA1

          02d5ef7053de1e626a8c44b81e41a097ac06b13e

          SHA256

          898fa0b796d2f6c4486990a74f22e56a29ab436ec6e7b0702310b3090ee36c74

          SHA512

          9ddd12107b0c0594279aa0270542a7c61f7debd48125934c3df9bb178d0b00c92497b1750f65474ab049b7cfc70895d48d2da674195fe4ea68a7f07b7562ca97