Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 12:22
Static task
static1
Behavioral task
behavioral1
Sample
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
Resource
win10v2004-20241007-en
General
-
Target
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
-
Size
2.6MB
-
MD5
6bb5890855484aa5c398f0f8625cd5e0
-
SHA1
b319933107d13c293fe93ebd287d73d87c5c0f26
-
SHA256
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5
-
SHA512
3d3be118d611863225e7f6ef424c24fbd8b43b4f716fb5d28b24597c537a3bea4f8f606750d3d7d53789646c6485b4e9e65a791eb5d6c566f9d1561d270c3c9f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSq:sxX7QnxrloE5dpUpBbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe -
Executes dropped EXE 2 IoCs
pid Process 2236 ecdevbod.exe 2508 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files57\\devdobec.exe" 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPN\\optidevec.exe" 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe 2236 ecdevbod.exe 2508 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2236 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 31 PID 2464 wrote to memory of 2236 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 31 PID 2464 wrote to memory of 2236 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 31 PID 2464 wrote to memory of 2236 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 31 PID 2464 wrote to memory of 2508 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 32 PID 2464 wrote to memory of 2508 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 32 PID 2464 wrote to memory of 2508 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 32 PID 2464 wrote to memory of 2508 2464 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe"C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
C:\Files57\devdobec.exeC:\Files57\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d9b8644bb295d1cee3cdc03659b1209b
SHA10d1dccda718e9e49a943aceeb630b966b32a7fe8
SHA2561ad7b52cfc3c252d1320038935949591108655a1c41b2455044ab83dacf1e263
SHA5123c62bd529a453bac8134a478fedb68347bf5ddce029092a07ef0423c31debed7f99bf36a87219dba38b61a50e95e545d177632d718ee4436212329c3927cc6f7
-
Filesize
2.6MB
MD5546e34e4832958ad53176de603e1a9c5
SHA1bedf04e0d2b695600ce8bdd67320c9f58a1e85d1
SHA25670d2e4b86109f665509b92eb49eeee7287f6ddf5d45bc2694992291fdf3d8927
SHA512c50b650d5b939353149b1410dbf37465ae42331614cfe6269c4359f2ed9384eada74cc41a7036e3ead935f854ab1f9e4b12dd6bd0c8eeaf956accddf01d5976a
-
Filesize
31KB
MD56767e44b8f8de6e616ff4b3523b078e9
SHA1c871cc62c3911e5350a063da1333dbe1aede5281
SHA256fb9f9c9a72e0e98d461054f92faed7837baed42691d98807657f573b5375a6cf
SHA5125660382a8368b7e9ffc099dc84a891904199c2feaa7bc7a16b39b7231f5102c04d6703a2b85492b3db7f9c101333e9b3270fe6657fd524d50c26b9d07958c2bc
-
Filesize
172B
MD550299a85fda32a0768d6a9823b8d930a
SHA1d05a0a744e1022e7e97dc276e5fa864916b99c14
SHA2563247f7005897e582cc775648943047c786a571a2cae2a56fa18d7e5963365daf
SHA512da6bd0f8262ba74334d52ae839711b6df017205da0e3e3db747a38ff283af6b411ebb44ecd2a74f7df9cb55bfeb02df973886d6b936821e89b94170e2c3e8c20
-
Filesize
204B
MD51916fa1956e0e382c907483e4e796da4
SHA197ed328deaa3877841b66c069343e320b7505214
SHA256aef6eef814f984ae555e9e5d2fca714a0b1811b77c95116f497e3d6901297af7
SHA512385811c80f0adf26dc487d524ec0f76cc11ccdd1b3193f7ed4a7870da6199b1dd701a13d8f3dea7d682f8d7731da959d1cfdf3b333bed3bb3311269f4973a6bb
-
Filesize
2.6MB
MD53586df58c524f2821a61778d60444c5d
SHA166bb368ee13843bb11ea4224dae87771993cac77
SHA256a2ca0a505fe427dd892f3af8b7239da1936ae03229bd26b878240aa8fc3b7db3
SHA512143af181e84a87f1156d8b33bf07db13eebd076faf1185a2b43552077ad221de7d116feb21e02447d51e5918f4bd4250011dbb3bc1b4938e65f370c4008fe04f