Analysis

  • max time kernel
    119s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:54

General

  • Target

    8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe

  • Size

    2.6MB

  • MD5

    cef5dad727471586603a887b866d9920

  • SHA1

    12971557a18ba400a88978d45ab759f7a35d70a5

  • SHA256

    8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420

  • SHA512

    973f8bff66d20814b9a167a6b88209524865d30dd0b397cfcfdc34fe0c49b981e7ecdfe9d25b9a375611871725e483f81d6128b63523dd5873093706e1ce72f5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe
    "C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2880
    • C:\IntelprocGS\xdobsys.exe
      C:\IntelprocGS\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5100

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocGS\xdobsys.exe

          Filesize

          2.6MB

          MD5

          9e95124eb81fc87105580e24296ca3b3

          SHA1

          1fd345bd07aa897c42bc53bce4c5c814887bcbea

          SHA256

          c4bd95d77eacd936c1144f47b17b2090ebe66b86aea639a0b6ff2182b43de665

          SHA512

          6dae7795a813a51a9e025e371e00146c12beb8045015f681def3d6d12b311f8a308336129f29f1a27610ad63ebbba68280fbda4703ca3053ceaf5c58afb68122

        • C:\MintVO\optidevsys.exe

          Filesize

          2.6MB

          MD5

          457e1cec4e1bee3daa3512fa0690f141

          SHA1

          5466dbcdb228bc29ac8bbc229460fc0785710d75

          SHA256

          70a1b2c6da72948115c96de89d932fda0b2ed738a28f73311b74f0ab7bf9f547

          SHA512

          4cfb57aa80e3963dc71f3148f173585a2ee9c46eaef30f7dbc1b57e18fa4758f49c53f7a34090182de832e9b5a4b33e770bf0a2b8d54ebcaae993360300135ae

        • C:\MintVO\optidevsys.exe

          Filesize

          223KB

          MD5

          bd293b77377b9f08b4b5763a889a1324

          SHA1

          1270f64634150c6853440db4aca88ebfb4c1250a

          SHA256

          6275c2cf8f4dce45fe2879bdfd9c4e91b7ca45cd0322cb69ee47d7403fdc66a4

          SHA512

          4d033dbf941c444d86fbe9844bd1162c4bc540cb73203f70a810773eff952f69bbdcf3b04b1a5b8be3f420bd9045b320a76e349110326088729cf63c6536776f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          208B

          MD5

          cedb5fb349ceff525093d516e99e0e80

          SHA1

          d938e3768051e563fe5dc21854af479062790b0a

          SHA256

          8b2e49c7bfb8988a95a03c4f89b861867ef38ad64a5228c3b279aeb1641df1d8

          SHA512

          43c9832f93f33e93574e5916b1553327b44647adbb271f409e680095677533e3325b270dab5aa44fd5b999c5acf4c2cb36e1f85b58c8550837e06ec781bdd7de

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          176B

          MD5

          10209582701a00f1eb4d6571a2d9c8a0

          SHA1

          37b71138880a48e7b4fb1878806cda7a84e206ed

          SHA256

          cc6c92045f3e5232fb6a423fa9f6081b1d890e5e685347d2f550af573cd2209c

          SHA512

          1ea37b95a99ab790f6dd2a4bce73ea9808f4b4bbfc8fc643591f221f4484c3286b0b22b857a513f66dac0fd39065a51369a25523bd7d8582b3d3e09a57fad6a4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          9b7d628ef5b3f38127ce2e462729e5d1

          SHA1

          0617c5f7643d3048cf16117ec0b3b47bc8669e93

          SHA256

          3bcccc7c7be1c8a5d32bb3aebc7f48a6481a6bad7aa57739fc02013ae9154fa3

          SHA512

          3167929c89a9c3384b69078e4f17f968e74fab712980f02e5c29c3815e78c2425af5ee157800342e65225905e0cff418877bb024c5e69b8bf58b07fa1a45a9e7