Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
Resource
win10v2004-20241007-en
General
-
Target
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
-
Size
2.6MB
-
MD5
f975d76498c7cff6e1a283bcb5a167e0
-
SHA1
278b1b0092b196db6a2fd168a35c7bde8763e430
-
SHA256
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113c
-
SHA512
b4629ef75eb898a47bda3871d337a5a61856929202689ba83fd67ab0e62a7339ccb802fb06d199ce64fc0c31b759bc08c4335d5dd3e8019b9f802783876d8de8
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpLb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe -
Executes dropped EXE 2 IoCs
pid Process 764 ecxdob.exe 2964 devdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3X\\devdobloc.exe" d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEI\\bodxsys.exe" d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe 764 ecxdob.exe 764 ecxdob.exe 2964 devdobloc.exe 2964 devdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4780 wrote to memory of 764 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 87 PID 4780 wrote to memory of 764 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 87 PID 4780 wrote to memory of 764 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 87 PID 4780 wrote to memory of 2964 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 88 PID 4780 wrote to memory of 2964 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 88 PID 4780 wrote to memory of 2964 4780 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe"C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:764
-
-
C:\Files3X\devdobloc.exeC:\Files3X\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50d0837fc57dfbd33269439426341a684
SHA1af075cec6c3c240c456526ea9e7d77c4c3a4dd69
SHA25639897b94384d84cb544b37594e0fda17ea6e6daedd11b6764452560bf0e62534
SHA512ab766a6a007a946e550db347a976b98d1313c656905f9b64230711cdc865af8efd874b81d8fa58f689fd36e69b445b229599985669d9c339288b97be296a8182
-
Filesize
200B
MD5553732abc93bee21a254326f8af6f514
SHA1340daed6819acf752c6b4802499fe1fccc944d05
SHA256912ffca1f4fc604b337d487ec66ef29e0ddfa11bc02365a87b71f6c8141885e4
SHA512719d4d75272be1f402db8ca9e0542aa099593c18ed2e0c5429135f288039e70272707f2b40fbc8cf90b11a8cb46f417b0b7a7f749ac5af47053c767451a3ed3c
-
Filesize
168B
MD5fd18659289fa188a33b2c00821b73614
SHA1ce425aae5ac7a10e9f967740ca4f5a4c8581786a
SHA256fa7e0362559c7ac7e8f24df15b66714f46b0a0d6c6dc01bb7429b5926ccc5eb4
SHA51251dfbeeac84cb591d38319266b1fd5d9bf6206d5e166bce1e22b3746c63ff570e3de7d7d58eb40c6fc6d5a36a8d4950787b03203668517a54252b7b6720b2fb3
-
Filesize
2.6MB
MD5d19b929827d354495470fa4e167c6839
SHA18f3e82446bd8e2540b5ba1c2583e953d90c3b02e
SHA2563555a446a96fbfb9b894f61719777feeb594640b494f681b4768ecf48cac0c23
SHA512ac534f3737d7e8df9c0b411c64621027198b419604f016ecfd9326ea6d0e0c9a1437a7140cf34fadc710a1c6936e6bb26c28ba31b7a1a0b6c5729f0470f89824
-
Filesize
2.6MB
MD5c0d1bd164f639b6fa712e27e4c1d5b9f
SHA1853bfa7980b5b5fdcff3d16fbf8ded82b8f0f67b
SHA25606baa796303d3bf1cd0bc634a45d812d892fccb099566ed2a6f1e006101e9d7b
SHA512f1fa867eed4bbba71c5d4f3786a276a3f61c5d76a197450683938c5f8cb4e1e178f38d9a81dd66fda0828cddda8de19ba9a283f1d2da7adef1716aaedf4a9ef0
-
Filesize
2.6MB
MD556044aa01c5c1a3c2c13e12ab92c0dc3
SHA197eb1490e48894f7d324b2f7d0a2b70440107295
SHA2565994cfddb99b9641a721319a369fbf93870634852f214d8cc031411a96d894ce
SHA5120b761bb74aca7a5a44cd13e4cdd97372cb0f968625864c7fe46a7f7d184d89e95d7f06f4142bb2bc55712d08a652374b401a70fb9e0f918f3175f109e2b82dc8