Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 12:17
Static task
static1
Behavioral task
behavioral1
Sample
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
Resource
win10v2004-20241007-en
General
-
Target
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
-
Size
2.6MB
-
MD5
100fe9882157b5de43ffa45b06182070
-
SHA1
077ec1db08d976ba9efd452ea2c51b0a54a3f4af
-
SHA256
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300
-
SHA512
e51237410ba338f6777177b126bad5a6d909ea2d171e3b08793227cea3172b06bb6d0e0c380b405b3421065e216ebece0890fa463507c0b723f043611182c558
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpAb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe -
Executes dropped EXE 2 IoCs
pid Process 2304 ecadob.exe 2444 devbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotRG\\devbodloc.exe" f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSJ\\optidevec.exe" f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe 2304 ecadob.exe 2444 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2304 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 30 PID 2600 wrote to memory of 2304 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 30 PID 2600 wrote to memory of 2304 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 30 PID 2600 wrote to memory of 2304 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 30 PID 2600 wrote to memory of 2444 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 31 PID 2600 wrote to memory of 2444 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 31 PID 2600 wrote to memory of 2444 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 31 PID 2600 wrote to memory of 2444 2600 f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe"C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
C:\UserDotRG\devbodloc.exeC:\UserDotRG\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5789e2dfc4f795e4eb44baaaa0a95e88c
SHA1eb004f5c155a09091f2862768dcc6020d1c80ec4
SHA25627724abcd44193f7de37a980fc271905c86e8cf1f6a22f93e569adf74a79384e
SHA512576d7d1be66f32ab03b096dc56ddd50ca11cf434d7f398c98f2cc0724c80576a5c289ea4756cc65f432f05820f0fdeec747262dca2bd0fc659c9bdbb7892d82c
-
Filesize
172B
MD5b6df78d53bf5f072b4016cb6debcd339
SHA1856d69f7aae3fcc730f851c5ad458dbc3efbe69b
SHA256107e354383e4fc2bbe6f232ff795616b93061c286bf309d51ecd4aa4768e3ccf
SHA512ef1e9cff07414e3bbf033e49499b2902b4b422a07f2ff8a26ae4a86c214ba1a61f42954cc34e15d6e1bee56dfdc79bdac0d01be3a6ae353bae47726f02b57272
-
Filesize
204B
MD57fd491ac5722e37348858752b02bfc64
SHA13052abd184ad5633e9806fb383ad8a76973d064a
SHA256b3034e6ad0b5ef770eac122ab7388c1c88cefe8f102d316372ad2c9bb92da6c9
SHA512c7652b0d6121ce843e77182c771e85722be4e91de8a968113ffdbca27bbf6466867c327a4f2dfa27a6f0814814d252e255313dcc53915b2739e2dad81b16e55c
-
Filesize
2.6MB
MD545f3a6dc655258fd56bd4d48e0cbf22d
SHA1ba2690c3561adb860b577f4708a7204ee84a2179
SHA256c9c7302696f21ef2ed7b16f2bec909bd99b0472c771a1b25f393f21c38e04bf1
SHA5128abc6ad72fe21c8f522c8170f0ae44f0cc2b12174340eaa72793ae204e48ebdea72c5c1b2716b0442ea7b947b1c0ca2f86552aa1da9e90e17b8f0c4b5e21b44b
-
Filesize
2.6MB
MD58b9ae61de40b44909197d901145727e2
SHA149d4b1c0c0814322a45047603f0f3d6b63d27110
SHA25663c754cd29e2cc2c925cdcc221e7b340259e271ef52f2563eb322e066078002e
SHA512b9fa83ca0a358d065fcda0e0c31ba46583bc9409bd9a63f57871835c0237d3c75bce3fe030de1de5ef28388d245cd1f1c47d6f1a608dab6fa078633e9ddb9723
-
Filesize
2.6MB
MD54f713cf3e5e2f9948819b223fef7f2c3
SHA19c78f2f07d7ce6772e9a1a0fdd5375e9d7c6fdef
SHA2567de7725dd1e5a02ca5cfdfda45e4975dceea14cf129008a3cba2de7dee43a799
SHA51224abf01f633eb02e7f4587263d23461b9ec637bbc3632f6992389bef0ed9aef1fd28413f475f432bed72d625051a932a9d03468144a2489315797e200adb61b3