Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 12:22

General

  • Target

    82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe

  • Size

    2.6MB

  • MD5

    6bb5890855484aa5c398f0f8625cd5e0

  • SHA1

    b319933107d13c293fe93ebd287d73d87c5c0f26

  • SHA256

    82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5

  • SHA512

    3d3be118d611863225e7f6ef424c24fbd8b43b4f716fb5d28b24597c537a3bea4f8f606750d3d7d53789646c6485b4e9e65a791eb5d6c566f9d1561d270c3c9f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSq:sxX7QnxrloE5dpUpBbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
    "C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2236
    • C:\Files57\devdobec.exe
      C:\Files57\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2508

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files57\devdobec.exe

          Filesize

          2.6MB

          MD5

          d9b8644bb295d1cee3cdc03659b1209b

          SHA1

          0d1dccda718e9e49a943aceeb630b966b32a7fe8

          SHA256

          1ad7b52cfc3c252d1320038935949591108655a1c41b2455044ab83dacf1e263

          SHA512

          3c62bd529a453bac8134a478fedb68347bf5ddce029092a07ef0423c31debed7f99bf36a87219dba38b61a50e95e545d177632d718ee4436212329c3927cc6f7

        • C:\MintPN\optidevec.exe

          Filesize

          2.6MB

          MD5

          546e34e4832958ad53176de603e1a9c5

          SHA1

          bedf04e0d2b695600ce8bdd67320c9f58a1e85d1

          SHA256

          70d2e4b86109f665509b92eb49eeee7287f6ddf5d45bc2694992291fdf3d8927

          SHA512

          c50b650d5b939353149b1410dbf37465ae42331614cfe6269c4359f2ed9384eada74cc41a7036e3ead935f854ab1f9e4b12dd6bd0c8eeaf956accddf01d5976a

        • C:\MintPN\optidevec.exe

          Filesize

          31KB

          MD5

          6767e44b8f8de6e616ff4b3523b078e9

          SHA1

          c871cc62c3911e5350a063da1333dbe1aede5281

          SHA256

          fb9f9c9a72e0e98d461054f92faed7837baed42691d98807657f573b5375a6cf

          SHA512

          5660382a8368b7e9ffc099dc84a891904199c2feaa7bc7a16b39b7231f5102c04d6703a2b85492b3db7f9c101333e9b3270fe6657fd524d50c26b9d07958c2bc

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          50299a85fda32a0768d6a9823b8d930a

          SHA1

          d05a0a744e1022e7e97dc276e5fa864916b99c14

          SHA256

          3247f7005897e582cc775648943047c786a571a2cae2a56fa18d7e5963365daf

          SHA512

          da6bd0f8262ba74334d52ae839711b6df017205da0e3e3db747a38ff283af6b411ebb44ecd2a74f7df9cb55bfeb02df973886d6b936821e89b94170e2c3e8c20

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          1916fa1956e0e382c907483e4e796da4

          SHA1

          97ed328deaa3877841b66c069343e320b7505214

          SHA256

          aef6eef814f984ae555e9e5d2fca714a0b1811b77c95116f497e3d6901297af7

          SHA512

          385811c80f0adf26dc487d524ec0f76cc11ccdd1b3193f7ed4a7870da6199b1dd701a13d8f3dea7d682f8d7731da959d1cfdf3b333bed3bb3311269f4973a6bb

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          3586df58c524f2821a61778d60444c5d

          SHA1

          66bb368ee13843bb11ea4224dae87771993cac77

          SHA256

          a2ca0a505fe427dd892f3af8b7239da1936ae03229bd26b878240aa8fc3b7db3

          SHA512

          143af181e84a87f1156d8b33bf07db13eebd076faf1185a2b43552077ad221de7d116feb21e02447d51e5918f4bd4250011dbb3bc1b4938e65f370c4008fe04f