Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 15:02

General

  • Target

    d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe

  • Size

    2.6MB

  • MD5

    38c782e87792354ca420f178655dfaf0

  • SHA1

    55a9e267dda831d2f8fa98094e6ef04442c51bb2

  • SHA256

    d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604f

  • SHA512

    acb6c699271127b8f9d38604f28388f924f8f7b93d0ec4e3280a42d6c0f7229c225ff4224d52c46510c8abfe17bf663d02103d4b561847ab20a226f64340f220

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSq:sxX7QnxrloE5dpUpBbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
    "C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3256
    • C:\Intelproc4X\adobloc.exe
      C:\Intelproc4X\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4768

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc4X\adobloc.exe

          Filesize

          2.6MB

          MD5

          8fe1ba40f9c97ba155bb0a2c673bb5d1

          SHA1

          b783b067d8c1f9bc2618babf486ac0cf346b2856

          SHA256

          c8d5611539f064ebdfd0e9c7a83d908047a3a2e1f9939caf818998414a5ea1cb

          SHA512

          29122daf46e11a17253f64e110fea247a8b07a58efa7f1f4b8eb4775f75c5d025ac394194771454d84bf88c981a53be0353a7f1962c24a3e55abdf8d5fee4788

        • C:\KaVBC9\bodaec.exe

          Filesize

          2.6MB

          MD5

          6cbb35f729029522107489be5b65c7fc

          SHA1

          c034e51adb3b36da130487f6751c50e260654b1b

          SHA256

          5c02c3fd083c2c3c788aeeae3cb1a99a405094074ac82b842c61f4ea660e6061

          SHA512

          a58b941e57ce366974c64ff210c4a9a02559053ccc0cf5ccb55c380b119cc5538a74f298d9aa5eba512d9abc5a7e331b38ccfba6b49150f79ddcf57db73d522b

        • C:\KaVBC9\bodaec.exe

          Filesize

          7KB

          MD5

          20ec6effd447fb35f7db816f8c616148

          SHA1

          c8c9edd9f30b93dc161fc035c69b57e7af305dce

          SHA256

          43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

          SHA512

          6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          f8ab6d8faf85ee56838f737e91d39fc7

          SHA1

          7e06cead2ff139961875dc7ffaa17faf78426905

          SHA256

          44ab223fd74758dd23b5a1694f1191040fdc8d664d611ec67ec11c48813dffca

          SHA512

          ed9cff55984dc9c99cf194da98ef236457480be4ca94f97714a78af1a932b05c5d1eb9c2ec4294181158d8a2cfb9da0e73f203e378839efd306013ddf495cff1

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          b2b1c316e726793f9019748527d2bbfd

          SHA1

          e71bc8817d9e59d6e8a46cda70c2c8a7e9d9b949

          SHA256

          13670891a0d80dbea94274b8b3558d50650bd84fe6e01f049ad57e473204f480

          SHA512

          1aa5318b9b19e9851ab3484fec254b0aff1dcb0a89431c1c73b22f82cc36793e7b4b7ba4a73a8298a4ca838abb5f6ca1e3909e2897d6e5097d31ac9c1e22dda1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          6815b175b20c15c35ce583a6e786c9a0

          SHA1

          903fded3d9f648528e9f828226478c316305e77d

          SHA256

          c54225be5740cc2e3deb0a8288abf171f79a9c6a4ca2bd887e42827fccdaad7c

          SHA512

          8ff2ab0b77b370940ab8a8d6c24bbe7bd86e7725618a0698f3ca58ca4ec21f957dad6231cf7af841e710e037d66182ee92e2590d95890330ad7bea4a918ff8c7