Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 12:52

General

  • Target

    7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe

  • Size

    2.6MB

  • MD5

    f0b744b1415c66f734160a603184c720

  • SHA1

    3e3eb1b6ff0da239fed74b163db964a07989b53d

  • SHA256

    7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2f

  • SHA512

    2eb3d293682bf0599ea86b7d455818f3201d0aa71a2d0e14ee43d5f9f63ec608f370a2ba299e5362906a244e402d58377d9e2a940d35992696e7f291a2eb6d76

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
    "C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2796
    • C:\IntelprocFR\devoptiec.exe
      C:\IntelprocFR\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2896

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocFR\devoptiec.exe

          Filesize

          2.6MB

          MD5

          eca65871c84668c45b86f5299cd60f1c

          SHA1

          44e543f5b6f5e5ba5836d4694bb4a978878aaa24

          SHA256

          f6fee2726577c41da6302e02f2c23e2d9ad33af47b6a2b8235cf671f290fb83f

          SHA512

          ea241e6e5294b687687e0748bbba40a4beefbfb9cb45be12c15a5c5b66132c5657d7374f60f64c057fe20c52043cc8ad29ba99cd07f18c0c58659618665238a2

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          175B

          MD5

          2af9834abb621af6fdbdf68e26cc8302

          SHA1

          c272d094acb16e32330b4528359940f9923b166c

          SHA256

          13c3f75d28565188f11d5c9581fc9358dff8ee90e7789f126c4819c8899ed74a

          SHA512

          933f78aed13fae3b40774cf904be1211f066a86eef1d4879b7693072b1bd08d460dde3904be9fd5d731ac459461579364471fe3c788140c8c1627069fa318be1

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          207B

          MD5

          b243b9748d727fc4ac90146572c6da20

          SHA1

          417f2d085d2ea4575d46ba3cf708114f25d8bb7f

          SHA256

          9b71d4f1ee98c2b4aba18df3e18ce5c4c2388f2a603e95ebf883edff7e07eb53

          SHA512

          a00d2f8faa2028643997c28d4a7b971157ed66074553775f82502b207338e61d88835269941cd3b4e0f28af1e3580450adc18413dca0f20278670a39dcb93a96

        • C:\Vid0P\bodxsys.exe

          Filesize

          2.6MB

          MD5

          5807a4828b5293bc637199ddadf141bb

          SHA1

          f886f611f3c7e6d4dc5e07ecf116db49d33e727b

          SHA256

          326a16681e27a370b76dd67b52fad91d912cc1fc43ba7d04a8aac6c34ac0592f

          SHA512

          64c2bc0e9210a4eef522e283fbbb4b343a6aca6b1140a2cf2c68f1e99c44361e953604d9f5bd23961320590fd9e0b19876f9fafd3f7f07ffee7926c010205e74

        • C:\Vid0P\bodxsys.exe

          Filesize

          2.6MB

          MD5

          b933d3f889f8aee7383a66e5ff269e1c

          SHA1

          b5e2659797d41bb0af958ca1da1d07f844cd37a6

          SHA256

          6151e93ad8ea8ea8088a687422c029bfdaead567147c2f6ccc3ca0f61f80eb7a

          SHA512

          882165e4f3a815395595ae99013ed411fbe4b34698b22f405dab21375115dacf0e5335a9b45cef426686589064ffdce9c9201c88c02d4646278d05c8b79ffd0d

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          7f7870aa35e3095cf0835790003e7dbc

          SHA1

          be42d64437632ef111a7f1ea841a7f40a66cb098

          SHA256

          810c66dbe5ef06cc7733f1eca7696b10d6327fd97a62f9e91a4f8ed7126285b4

          SHA512

          150ea4102b2ee42b8fd0af8afbfbca76eecfd5bc9ff4de756f158c773ed0f8259352475d12041d3cd3d2cc1397b3ccc191f61647cbc0765988c01a9582fe5d36