Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 12:57

General

  • Target

    b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe

  • Size

    2.6MB

  • MD5

    23e5741a9817b7a6135e8fe7c1cf6110

  • SHA1

    a3e03c16f065cd045e2ee5b7e27b046aa2c75ed4

  • SHA256

    b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03

  • SHA512

    c7085468fad9ddbe62b5aad2b316813bf6bab358041dbcd7ed05542d5d7477825a28bc6fdac6eb90b02b7833d205126bf147bed93272a3ee77b8e2cee44462c0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpjb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
    "C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3260
    • C:\FilesJL\devbodec.exe
      C:\FilesJL\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2408

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesJL\devbodec.exe

          Filesize

          2.6MB

          MD5

          f7994c4ba1be3ef7507611fe7149f9f8

          SHA1

          039e5c534c46aeacfff1f621d19217c1cde75396

          SHA256

          795e30cdc9503739521dc806c0fea9efc6f27e09e12594f0710eb3453b203b30

          SHA512

          140d3ee866723b57d043ea8cb1a1a0273b0de179ce155aa5a96bdaefbf74c6a1e58096d0da2654c717250d9dc15b8646e0fddfa2d8e6c6c17862488d4175d5be

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          76fe5864151704395a8c1b162d333eb4

          SHA1

          4f22f56be77e3a15e0c13dcfb25b0206191fe893

          SHA256

          91188e871dcd83cab6e2849cc7ea3f949eea2b852c1cb52a3006e7a56f60f9ed

          SHA512

          29e3acd538a45b4cebc35ee0a85cb1ebba26ec49709ff500947dd49a3b8a5dafffbc50d6e0b2080eccd3b8c14607807144cb073ebe009b5eb07ae2a0dc856994

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          5b0bfa416fee4a58e0b844be29abf74c

          SHA1

          1f8f2e1ed7dee02a85f09fcb42fd3ec97e177408

          SHA256

          f4c1912e29ae6cd2b7979d7400cd87fd0be7544105f48dc40b43f844b2bc0e54

          SHA512

          c736fb7386cb53c497717f0b4ea05e7557953bbb27e5e528acaaba3d2fdd721fe2e8f4e4a9b3ab95f870b328670dd9fd1f7445b687d5e50212360525123430bf

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

          Filesize

          2.6MB

          MD5

          1dc9223ccfd2657da359b90c0c05baa8

          SHA1

          e58ce6c82e68f67b29d742dcb0f97e104d592571

          SHA256

          72e2b9348162b8c5d0634490d8b1cd29c09c8828dd67ce5ad0776878ee7f9da6

          SHA512

          4d5b5ad820c4b418e8bc60f974dffeed0b7a29746385c0c7dff8383440c81306dc05c0c50d479e6eab58fe1598f61829251a7406b84910dc34935fef57ae3482

        • C:\Vid76\dobaec.exe

          Filesize

          2.6MB

          MD5

          b9409397c5ead3006db1fe6485548d0a

          SHA1

          36c46971f21ea85d645a60a78e8d893c2337331c

          SHA256

          63cbef2c1e554c7a9cb75d7db4388a7f7ecfacec4515f3d4bcd849121883ab63

          SHA512

          a689ab0926979b30a3a4b3d9ec8c94c7dd869ffaa78dc36060c410b9c908a301e98b7b425db18932b4701e5229e53632510403adf7d01b5f81623c6495a3ef38

        • C:\Vid76\dobaec.exe

          Filesize

          140KB

          MD5

          115bea969b14e5a6fcb2ef34be7848db

          SHA1

          ee36becbc651d86c9c6daedec9e67250a71f962f

          SHA256

          0358b145bfc1f72f593ec59a2e0ac5b7fde473ed6c3606073e8f68236cf31529

          SHA512

          a32bc50005c918a3f32d40b7514c861c355045b40f14ff39e0fb7fff603112dcc34fd7a73265b2063d997698159089c6d2a435ddad90ee0bdc5069db344226ef