Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 00:00

General

  • Target

    75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe

  • Size

    2.6MB

  • MD5

    a3596b0537ebd98b9da4548ee290f590

  • SHA1

    1e66d8cc4d99eafdae32f3544389cffda2bb2071

  • SHA256

    75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468

  • SHA512

    712dad09e851fcc2e52c75989182f2d5c5a74f65278b50bdc7c34f3c8bb53052ba8c1cdbc049d81e08e9205f98e5c00ab4b11444a982297aae3ab4dd4d0c8b66

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSq:sxX7QnxrloE5dpUpYbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
    "C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2488
    • C:\IntelprocKF\devbodec.exe
      C:\IntelprocKF\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2252

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocKF\devbodec.exe

          Filesize

          2.6MB

          MD5

          66e188db09a72c219fd145f38939b1cb

          SHA1

          30b057116311de0a61d07b14e24b01421eb647ee

          SHA256

          45dc162769c3541006cdac120e7792222bb80f0e28488ddc82828ea85e453018

          SHA512

          90b0553f0847628f4151310b9513128b1aa4ef69a84f6bd3152dd04046e984120e2b1728ea2cc3082f3d9787a0f93d3db90ea317ea1d2bdff2ff28e859639d8b

        • C:\MintNI\dobdevec.exe

          Filesize

          2.6MB

          MD5

          b00c25ab3ad6003b6cc2e01a039464a1

          SHA1

          64a88d29e367901d1955c349bc916b192e942f66

          SHA256

          aab792bf0342c29ce944bb1387acf03ab9d0b0cebdfc5963fde36124b861479c

          SHA512

          72eaa219fc788fa83663f65670647f1b784e4a6462b6b6c0a5cb379b9e816b5a8809efb86e332959e1ff604f163fa0b23c6800749cfc00a4f78bb673e8a3f0a8

        • C:\MintNI\dobdevec.exe

          Filesize

          2.6MB

          MD5

          cfb381df98a1b38894d18d5319a541e2

          SHA1

          cdac3159f495a2e468e1461653f1ee7dc1e5e9be

          SHA256

          f5424cc8894309e5e08da525401cd005c7c8cba598ca0260ad6f45086c31506c

          SHA512

          8aa13f2068979bf22e0b60a1c6602dde31600e28f788e8b647273fb9bf8c999287674d64b69d779e95e1d514c492633fc4c33c771dd54a2f1958fb440fb940f8

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          176B

          MD5

          56df387be03c9b6b4d354b6023eec656

          SHA1

          49b1264550a3491f71c1b7ad89f091e434933e7c

          SHA256

          b7d6b84cb7032058aceb2d886edaa69cf102bcabf5aebf05be8e8c539e4c168a

          SHA512

          e0af618115a01691d802d31e2ee05b5a03d3ecde674cd528dd29acbcf2e19a9a3c09a8c767271bd81d1efbd7fdcad415191b5abca13f5e7d5bc9afc5ad8cf495

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          208B

          MD5

          820b7e4c56ecfd1e25960daf10900037

          SHA1

          b991cf770196bd29a85c1ee680e691eaecf83c9b

          SHA256

          06f971e1701e9259116d7940f136cc372033594372e93414ac9e7fb7822bc793

          SHA512

          ba5c7a6ea4064f22ec1bd016b47cc822e22a7862fd8fe3aa8b874ac43bdb4d40fb5ab4b03051b7a45de7d52cbbb4e24684631dec759fac593c8877d055530895

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          6bed96784cd83a7f5a13bf1b1d7fe72e

          SHA1

          8a132c167130ffcffe1a55b79424405bdf8c1d71

          SHA256

          6899223834386d94afb3445b00ebd3063e113f8b844c010adf23637749682d83

          SHA512

          e67171fcbcdd487b4ad66ddf6da2bcc3090afacea4b9540ff8e7301d38b9e0c4446a8368f32d82f2a4cd5dafeaf286eea4f4b9dd45c9b4b0e724be402a45edc0