Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 00:01

General

  • Target

    42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe

  • Size

    2.6MB

  • MD5

    28059835fcef9aba9240ae90757e0290

  • SHA1

    a15d9d51328309f8bc59de08eaecfec07483e8bc

  • SHA256

    42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40

  • SHA512

    b4be8d2a584785d8092cec220f2b167977f9f53e49cc3a840843381a9ae69fff2bbc04a7b76e536dbe352bb5134e6ef1a9f612ae113a7d55e21600eac329d990

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
    "C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3040
    • C:\IntelprocTH\devdobsys.exe
      C:\IntelprocTH\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocTH\devdobsys.exe

          Filesize

          2.6MB

          MD5

          57a04070ca83c00ff16d6afade31a7c5

          SHA1

          1dfb31f42c9e6b2dd431797fbadff8babf933a20

          SHA256

          5e5d7c232601ee9a91f634a63593bbe782ef15f1927e2dc40b3512c66a10d98c

          SHA512

          92c354cde6e06357cf18fc93594927d0ac133f46a4c9739249a5dab2112617149e3c29b3a165ac91b0a7de37d6fb3949647abf5c6a639bfbed05a30bf5c15bcd

        • C:\MintXU\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          ee4827c1317f21bbec46b6a28ea36394

          SHA1

          5863a553ac702cf816b2f11b041a5424385c6594

          SHA256

          ee627072fbf25f3366053512bdb383272450f8caf3e68cc33c0da7d963de429a

          SHA512

          825dea012f777235880ece8f68a34b96d70dea2078b96836edeb52b270bcb705129399dbc749a93e57334fe3bf747771c3dab60540981e90ceacdc0ae8d22f41

        • C:\MintXU\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          ba1a8f6a982973e40427cc1f472919ad

          SHA1

          55bd6080a753e833b11c30c78629a35fb6251e56

          SHA256

          bfec55ff59b920c8e1a4dc5130857db17f759cc68c77c11d67ace65a762dffa4

          SHA512

          674184393b4b1727d77f6ac420999495d90ea0ca7258d15d14fadf68b146f0cd701d5e92db8d136e4bec3254737cd4ac21c5ef154390c3c50780db4dd37c3046

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          175B

          MD5

          5339d98b541f130e7572607f93dd6c6d

          SHA1

          e60c2c042c31ba5823b71b1e831ece6f305c8924

          SHA256

          4383fd5a5c969a36260717364bd96a65a6a147ad5f2b9b9bf490df476acb0eb3

          SHA512

          feb29794af6bd9f4d4e3f0acbbfcab73cc7d11011a505370970e8ac25d1939f71f8aea2460b949855100e528de76bf2ece96048da0b575a1705eca491bf8504e

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          207B

          MD5

          abbedd48e1c2605dea6dd1752ed9c2a7

          SHA1

          539e92d1ca976460434c09433a823f03485a20e7

          SHA256

          9eb233bb37831478ce49c86935f155475b57ac6d86b785825cc20baa01467422

          SHA512

          9d913e1b15f8a865518cebdf271834f3f72970f865f3d1a03fce449bab6ccc148493bebb127daa08846c8cd1627acd0a79693499537fa9b24370c9e49c501d74

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          0b54a8efe9dfeedab9b30b33d7db7f85

          SHA1

          6bc8fe5c30073b2d87ad7d4b2c19ee0bc2c6deba

          SHA256

          ffcbc857921e6643893b4530e04df28129c39c7ddb9db67f1a578e60618e0ac3

          SHA512

          5293bb636f67651bf37157bcd6f3b2ebbc658559ef69d7109a8fea6876b881ea32b6b5e7fd4890ec09390149b1150396d146e656b096077aaf8c7ebc237e5b1a