Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 01:19

General

  • Target

    d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe

  • Size

    2.6MB

  • MD5

    f975d76498c7cff6e1a283bcb5a167e0

  • SHA1

    278b1b0092b196db6a2fd168a35c7bde8763e430

  • SHA256

    d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113c

  • SHA512

    b4629ef75eb898a47bda3871d337a5a61856929202689ba83fd67ab0e62a7339ccb802fb06d199ce64fc0c31b759bc08c4335d5dd3e8019b9f802783876d8de8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpLb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
    "C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:764
    • C:\Files3X\devdobloc.exe
      C:\Files3X\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2964

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files3X\devdobloc.exe

          Filesize

          2.6MB

          MD5

          0d0837fc57dfbd33269439426341a684

          SHA1

          af075cec6c3c240c456526ea9e7d77c4c3a4dd69

          SHA256

          39897b94384d84cb544b37594e0fda17ea6e6daedd11b6764452560bf0e62534

          SHA512

          ab766a6a007a946e550db347a976b98d1313c656905f9b64230711cdc865af8efd874b81d8fa58f689fd36e69b445b229599985669d9c339288b97be296a8182

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          553732abc93bee21a254326f8af6f514

          SHA1

          340daed6819acf752c6b4802499fe1fccc944d05

          SHA256

          912ffca1f4fc604b337d487ec66ef29e0ddfa11bc02365a87b71f6c8141885e4

          SHA512

          719d4d75272be1f402db8ca9e0542aa099593c18ed2e0c5429135f288039e70272707f2b40fbc8cf90b11a8cb46f417b0b7a7f749ac5af47053c767451a3ed3c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          fd18659289fa188a33b2c00821b73614

          SHA1

          ce425aae5ac7a10e9f967740ca4f5a4c8581786a

          SHA256

          fa7e0362559c7ac7e8f24df15b66714f46b0a0d6c6dc01bb7429b5926ccc5eb4

          SHA512

          51dfbeeac84cb591d38319266b1fd5d9bf6206d5e166bce1e22b3746c63ff570e3de7d7d58eb40c6fc6d5a36a8d4950787b03203668517a54252b7b6720b2fb3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          d19b929827d354495470fa4e167c6839

          SHA1

          8f3e82446bd8e2540b5ba1c2583e953d90c3b02e

          SHA256

          3555a446a96fbfb9b894f61719777feeb594640b494f681b4768ecf48cac0c23

          SHA512

          ac534f3737d7e8df9c0b411c64621027198b419604f016ecfd9326ea6d0e0c9a1437a7140cf34fadc710a1c6936e6bb26c28ba31b7a1a0b6c5729f0470f89824

        • C:\VidEI\bodxsys.exe

          Filesize

          2.6MB

          MD5

          c0d1bd164f639b6fa712e27e4c1d5b9f

          SHA1

          853bfa7980b5b5fdcff3d16fbf8ded82b8f0f67b

          SHA256

          06baa796303d3bf1cd0bc634a45d812d892fccb099566ed2a6f1e006101e9d7b

          SHA512

          f1fa867eed4bbba71c5d4f3786a276a3f61c5d76a197450683938c5f8cb4e1e178f38d9a81dd66fda0828cddda8de19ba9a283f1d2da7adef1716aaedf4a9ef0

        • C:\VidEI\bodxsys.exe

          Filesize

          2.6MB

          MD5

          56044aa01c5c1a3c2c13e12ab92c0dc3

          SHA1

          97eb1490e48894f7d324b2f7d0a2b70440107295

          SHA256

          5994cfddb99b9641a721319a369fbf93870634852f214d8cc031411a96d894ce

          SHA512

          0b761bb74aca7a5a44cd13e4cdd97372cb0f968625864c7fe46a7f7d184d89e95d7f06f4142bb2bc55712d08a652374b401a70fb9e0f918f3175f109e2b82dc8