Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:57

General

  • Target

    68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe

  • Size

    2.6MB

  • MD5

    dba9dda9620788444587443054e95a30

  • SHA1

    bc5d0c6ac4e052f310d2ad992dbd7bbc1b315e25

  • SHA256

    68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87

  • SHA512

    4ecf4a0fa0cf2f5ffe7a82e1a5d433e10c9220aa917f0121d0b7f00e7c723cd6c1b0f3ff1ac4bfbfb95f3d5122b8eea0dd931106454b535b91a90317733eed07

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpjb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
    "C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3260
    • C:\AdobeHT\devoptiec.exe
      C:\AdobeHT\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeHT\devoptiec.exe

    Filesize

    2.0MB

    MD5

    5ccecb4bfda35edbebd7081505566219

    SHA1

    eef3c415f356aa1b5112034a5fc8599f086d2700

    SHA256

    31eaa458538895949e4eebedbcd3a78720febf3554f61e73b3e10b408831454a

    SHA512

    9f947969db1c9de3e267dbefe253be876d0fa7e4b02bb46edbf103059b45c74e030ae671b5d7294c1c9ffc68cea03d59a3307862dff77903965ef0041d5ca95a

  • C:\AdobeHT\devoptiec.exe

    Filesize

    2.6MB

    MD5

    56d51b3567dc903a7052a24f2e68be5b

    SHA1

    d01e7083e0f41fd7bc3c3da2d644626812922db3

    SHA256

    cc5af927c0248e9f368e6c26f66666c9eff5c32b6128fba6b38110ceb0d461eb

    SHA512

    40f26921b1adef3f852de4bfb699c16a3d6e2cd16135141532cb8c0997e624a45f65c27484d9307ac6c26616582b87bc43cf3fcb92094287ca70656f31370e39

  • C:\KaVBW9\bodxec.exe

    Filesize

    2.6MB

    MD5

    c925546af61c25da7a7cbe9eb39aaf37

    SHA1

    6d0d651a58d5782634b9d92ad7b4dbc162db67e8

    SHA256

    92ee2a0298fa16ed68633b5aaa01a9a0f2676c7a63ea5ca88cced7db1bda3ec0

    SHA512

    be62d0cb988f155f75c8b94039423d4d76b3c8af51c6a842e2a1b3984a784e9bc7f8391e83c8a078c7ed81477120ad1516f0dbd14cceff1e2ef8cb30df79009b

  • C:\KaVBW9\bodxec.exe

    Filesize

    1.1MB

    MD5

    bf04fa63bb070dd2845042a04154d8a5

    SHA1

    3e199415a13f2ec61be39ab9ebb7850128187d9c

    SHA256

    3fe58b002e3811a783bc9a694b1d3d35cb18e27f7bd5398f2c803dfe9585aa5b

    SHA512

    18d5b0bce56c1b66cf437e27aaecdf00800356bfa9bf5716be626ca9d436d8e4d9f99cf6066e08d5f4d7b91caebf27dcae4cb46a3c86e051d75f56bdd844a991

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    b39bd4f2a1188c5e35356ed0edb734f6

    SHA1

    0dfba04ba7770ca590870f12f37d6ae9774608e4

    SHA256

    33d708e808ce4840df600ccae3ecc2c4233d909ffa5be5c72e1eec88fa0ec7b1

    SHA512

    fa0e33b6b2d84e5fc308077c46c59a57123e104cda8335fca970755f64ea375803bb471edf9b760113f754f26d7d9201d1b02102201805a83ab99669d273b8e3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    4708898b9ddb9a3949b84fb74c7c371b

    SHA1

    a6e72ef74c0ba3019bc08f0377a59f681be9121e

    SHA256

    a4815983fc9678799916820365c07b83f0f8c0439c62c21be2e6e49794cf83f8

    SHA512

    9d2d8fce9fca22f21dbd6bbec6045b9942f6b859323a5701af237fd67fbb5b60871b77f4c1396a5d1fbc16f2436f932c047c5e0a2a9c9a01d49ddfb5d18fb9ce

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    2.6MB

    MD5

    f07147311af481dcdd76a564227f6184

    SHA1

    32d3d2e74c9de51e984c8ff3c35845671daf2921

    SHA256

    8e9ad0a0ab8b3590fbee792a445150afd75fce6f6d27dcd8cb96780abfbbbd48

    SHA512

    b5b709e8447e9ec49059df1b2d8ad3016b1ad42a408c5f9bff886e65cb57d4f47b217105a4f7577ca835c24612ae3f6bd7f59cc308ca168fbe5e1a40dddfda04