Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 15:03

General

  • Target

    f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe

  • Size

    2.6MB

  • MD5

    7c5ec4cf4d8f7aa0c39533542cb75190

  • SHA1

    21d9fcd8da84e8890c6aa625cc0aac4bff1ea977

  • SHA256

    f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89

  • SHA512

    0f7924e7011e38a6a86157907a501e9ffec1a75d5cd0477e8e23b169d345a059e23f91d4efbc9227e530905337f3aaeafbed81677885d95f8582da1888b11d2e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
    "C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2544
    • C:\Intelproc1E\devdobsys.exe
      C:\Intelproc1E\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1308

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc1E\devdobsys.exe

          Filesize

          2.6MB

          MD5

          38df838ec7348d7c5bef329612675002

          SHA1

          3563d8896a3d67e856f8175cb1e2f558efe123b0

          SHA256

          4675f8dfccce5ddd59a1a88cf5ac0790242e0c934e191d8f09aeffe9db5df3a8

          SHA512

          21fa247ba1ecadae805b9608b25d04fa95ce977aef53710e766e14e1946afb24ca60a2db58183de27a9d16ca2dfb00001e12616cc82292afe4143d1f09c07581

        • C:\KaVBZC\optixec.exe

          Filesize

          2.1MB

          MD5

          59feb39f95b809ee69ebb18cc032a9de

          SHA1

          d1e25d355e0dfbe4741a216b04f89914186a3be6

          SHA256

          cf321671a0681bdfa8669e62b96c981934024baf3e960310ae8617f955ef2ef0

          SHA512

          bc3d6ee2d8666460da3fbbc40cb215df782e13b1abe0614ba77680b01ed1f50ce3493c8e7a9028cc82e9b782d0a717ca53ce6a08bc38e1c3d2404f326b634c23

        • C:\KaVBZC\optixec.exe

          Filesize

          2.6MB

          MD5

          2c0587749a273b7942fb53b32e8f00c2

          SHA1

          9ebbb7a842022c70a67f7f18a8e356c9bcc768dd

          SHA256

          7800b3dba1ffe9ae409d1e0a63f318ba4f8e294534b3a9cf7dc5cb60a7b101cb

          SHA512

          cca9644c610afdff3809d34011edb3162ce276847a07d22624daeb6ae1cba9d91e9443f5485cc84cb57bbddc07874170033e89f6bec8112a6bf68c5c67566475

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          cec03702672449a152529efcf5fe1f6e

          SHA1

          8c8dff3dd43a46b908976601a09dd364275b3391

          SHA256

          7b3e650339e8b96315ca1fa60d207009080765cdd6a1fc3bcdcb7bffb267ea4f

          SHA512

          0821aad878f221b2a21645609423286f83145338cc6a0c9354d157ed904b1a1e3552506e11e0d9c363a6884b0e805d869b1184794fd317ca1c1655044c11a8ab

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          e54a91e36bb15aba4982f93b957539ff

          SHA1

          53434d4c206381b818903f495f254ae0df8ff527

          SHA256

          ae3018e99941c8e3b88d9d4c2905c2ad9e76d0a94e6da5034716cf0e284023ca

          SHA512

          75c0daac721ac7972144e0a6099f72813f83e3ec769f9b2a6739d08f7a0cb4f4ea58371807d36adecb54dab604685b6e3ec7374b0d5dce4472320bb150354496

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          ffb9d6c2f0655550e2de2dd15f1d9d18

          SHA1

          e177d68885de634ba38656b1971d92ea315a917d

          SHA256

          846c1e19f9b88370ff3ab8c215733b3d15ee9fc38014fa33424571f51c7575ef

          SHA512

          d1dce4bc5ae2a48d3246d73d44f92b2f247015642233bc600d275c50f3ddb23a78e4a01f1c8b6df287587a4a71d4c715c45576e632a793f5e0ed414abaabbe3b