Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 12:17

General

  • Target

    f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe

  • Size

    2.6MB

  • MD5

    100fe9882157b5de43ffa45b06182070

  • SHA1

    077ec1db08d976ba9efd452ea2c51b0a54a3f4af

  • SHA256

    f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300

  • SHA512

    e51237410ba338f6777177b126bad5a6d909ea2d171e3b08793227cea3172b06bb6d0e0c380b405b3421065e216ebece0890fa463507c0b723f043611182c558

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpAb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
    "C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2304
    • C:\UserDotRG\devbodloc.exe
      C:\UserDotRG\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2444

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDotRG\devbodloc.exe

          Filesize

          2.6MB

          MD5

          789e2dfc4f795e4eb44baaaa0a95e88c

          SHA1

          eb004f5c155a09091f2862768dcc6020d1c80ec4

          SHA256

          27724abcd44193f7de37a980fc271905c86e8cf1f6a22f93e569adf74a79384e

          SHA512

          576d7d1be66f32ab03b096dc56ddd50ca11cf434d7f398c98f2cc0724c80576a5c289ea4756cc65f432f05820f0fdeec747262dca2bd0fc659c9bdbb7892d82c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          b6df78d53bf5f072b4016cb6debcd339

          SHA1

          856d69f7aae3fcc730f851c5ad458dbc3efbe69b

          SHA256

          107e354383e4fc2bbe6f232ff795616b93061c286bf309d51ecd4aa4768e3ccf

          SHA512

          ef1e9cff07414e3bbf033e49499b2902b4b422a07f2ff8a26ae4a86c214ba1a61f42954cc34e15d6e1bee56dfdc79bdac0d01be3a6ae353bae47726f02b57272

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          7fd491ac5722e37348858752b02bfc64

          SHA1

          3052abd184ad5633e9806fb383ad8a76973d064a

          SHA256

          b3034e6ad0b5ef770eac122ab7388c1c88cefe8f102d316372ad2c9bb92da6c9

          SHA512

          c7652b0d6121ce843e77182c771e85722be4e91de8a968113ffdbca27bbf6466867c327a4f2dfa27a6f0814814d252e255313dcc53915b2739e2dad81b16e55c

        • C:\VidSJ\optidevec.exe

          Filesize

          2.6MB

          MD5

          45f3a6dc655258fd56bd4d48e0cbf22d

          SHA1

          ba2690c3561adb860b577f4708a7204ee84a2179

          SHA256

          c9c7302696f21ef2ed7b16f2bec909bd99b0472c771a1b25f393f21c38e04bf1

          SHA512

          8abc6ad72fe21c8f522c8170f0ae44f0cc2b12174340eaa72793ae204e48ebdea72c5c1b2716b0442ea7b947b1c0ca2f86552aa1da9e90e17b8f0c4b5e21b44b

        • C:\VidSJ\optidevec.exe

          Filesize

          2.6MB

          MD5

          8b9ae61de40b44909197d901145727e2

          SHA1

          49d4b1c0c0814322a45047603f0f3d6b63d27110

          SHA256

          63c754cd29e2cc2c925cdcc221e7b340259e271ef52f2563eb322e066078002e

          SHA512

          b9fa83ca0a358d065fcda0e0c31ba46583bc9409bd9a63f57871835c0237d3c75bce3fe030de1de5ef28388d245cd1f1c47d6f1a608dab6fa078633e9ddb9723

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          4f713cf3e5e2f9948819b223fef7f2c3

          SHA1

          9c78f2f07d7ce6772e9a1a0fdd5375e9d7c6fdef

          SHA256

          7de7725dd1e5a02ca5cfdfda45e4975dceea14cf129008a3cba2de7dee43a799

          SHA512

          24abf01f633eb02e7f4587263d23461b9ec637bbc3632f6992389bef0ed9aef1fd28413f475f432bed72d625051a932a9d03468144a2489315797e200adb61b3