Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
Resource
win10v2004-20241007-en
General
-
Target
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
-
Size
2.6MB
-
MD5
23e5741a9817b7a6135e8fe7c1cf6110
-
SHA1
a3e03c16f065cd045e2ee5b7e27b046aa2c75ed4
-
SHA256
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03
-
SHA512
c7085468fad9ddbe62b5aad2b316813bf6bab358041dbcd7ed05542d5d7477825a28bc6fdac6eb90b02b7833d205126bf147bed93272a3ee77b8e2cee44462c0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpjb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe -
Executes dropped EXE 2 IoCs
pid Process 3260 ecdevopti.exe 2408 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid76\\dobaec.exe" b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJL\\devbodec.exe" b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe 3260 ecdevopti.exe 3260 ecdevopti.exe 2408 devbodec.exe 2408 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3108 wrote to memory of 3260 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 86 PID 3108 wrote to memory of 3260 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 86 PID 3108 wrote to memory of 3260 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 86 PID 3108 wrote to memory of 2408 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 89 PID 3108 wrote to memory of 2408 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 89 PID 3108 wrote to memory of 2408 3108 b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe"C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3260
-
-
C:\FilesJL\devbodec.exeC:\FilesJL\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f7994c4ba1be3ef7507611fe7149f9f8
SHA1039e5c534c46aeacfff1f621d19217c1cde75396
SHA256795e30cdc9503739521dc806c0fea9efc6f27e09e12594f0710eb3453b203b30
SHA512140d3ee866723b57d043ea8cb1a1a0273b0de179ce155aa5a96bdaefbf74c6a1e58096d0da2654c717250d9dc15b8646e0fddfa2d8e6c6c17862488d4175d5be
-
Filesize
201B
MD576fe5864151704395a8c1b162d333eb4
SHA14f22f56be77e3a15e0c13dcfb25b0206191fe893
SHA25691188e871dcd83cab6e2849cc7ea3f949eea2b852c1cb52a3006e7a56f60f9ed
SHA51229e3acd538a45b4cebc35ee0a85cb1ebba26ec49709ff500947dd49a3b8a5dafffbc50d6e0b2080eccd3b8c14607807144cb073ebe009b5eb07ae2a0dc856994
-
Filesize
169B
MD55b0bfa416fee4a58e0b844be29abf74c
SHA11f8f2e1ed7dee02a85f09fcb42fd3ec97e177408
SHA256f4c1912e29ae6cd2b7979d7400cd87fd0be7544105f48dc40b43f844b2bc0e54
SHA512c736fb7386cb53c497717f0b4ea05e7557953bbb27e5e528acaaba3d2fdd721fe2e8f4e4a9b3ab95f870b328670dd9fd1f7445b687d5e50212360525123430bf
-
Filesize
2.6MB
MD51dc9223ccfd2657da359b90c0c05baa8
SHA1e58ce6c82e68f67b29d742dcb0f97e104d592571
SHA25672e2b9348162b8c5d0634490d8b1cd29c09c8828dd67ce5ad0776878ee7f9da6
SHA5124d5b5ad820c4b418e8bc60f974dffeed0b7a29746385c0c7dff8383440c81306dc05c0c50d479e6eab58fe1598f61829251a7406b84910dc34935fef57ae3482
-
Filesize
2.6MB
MD5b9409397c5ead3006db1fe6485548d0a
SHA136c46971f21ea85d645a60a78e8d893c2337331c
SHA25663cbef2c1e554c7a9cb75d7db4388a7f7ecfacec4515f3d4bcd849121883ab63
SHA512a689ab0926979b30a3a4b3d9ec8c94c7dd869ffaa78dc36060c410b9c908a301e98b7b425db18932b4701e5229e53632510403adf7d01b5f81623c6495a3ef38
-
Filesize
140KB
MD5115bea969b14e5a6fcb2ef34be7848db
SHA1ee36becbc651d86c9c6daedec9e67250a71f962f
SHA2560358b145bfc1f72f593ec59a2e0ac5b7fde473ed6c3606073e8f68236cf31529
SHA512a32bc50005c918a3f32d40b7514c861c355045b40f14ff39e0fb7fff603112dcc34fd7a73265b2063d997698159089c6d2a435ddad90ee0bdc5069db344226ef