Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 19:27

General

  • Target

    09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe

  • Size

    2.6MB

  • MD5

    f275dc4fd58a355191f68c8f70d280e2

  • SHA1

    3e915e33e978db0d5b8597f60b1b845ecdadcf88

  • SHA256

    09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc

  • SHA512

    0fc2b4f95577f4970622cf397c9302e2f59f03a8fc98a86129516b41d67c535857a5ace0082c5aa844dcb2bf50f934d9d61f8f3b514e961fd51cb5c76c87a57d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpIbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
    "C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2140
    • C:\SysDrvNM\devoptisys.exe
      C:\SysDrvNM\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3064

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint33\bodaec.exe

          Filesize

          2.6MB

          MD5

          cf19b5e048af2bc4220c814fdf1cf7c5

          SHA1

          4862d2152ebc482e24de00d840b4a06c400ecd31

          SHA256

          2871b6a285f21c592999ed747b64ef3ee19a1529a17663acd326028be3959953

          SHA512

          2e234a66d17aa25f4338a75747d9125a28be544ec03e49de58b3b0b04466a53f891f8b17ea078c54532ba64a09f0db59805982f1512ea56f749e13e9a6208519

        • C:\Mint33\bodaec.exe

          Filesize

          681KB

          MD5

          25aa29c07fc174ecef23d18549358829

          SHA1

          b53fed6ce171589af14f1e467dfeda21c2dcfaae

          SHA256

          9d312039e170639732b40f40dac83ad56f8ebbe300c08e89032ef554a883afd2

          SHA512

          50a8f5084c867d5adb96211f05f35f73d394df2d1493c7bce99b2801892171aee4d666cd424640062a9cb664c4e6be1c48df9be7035db76ba2667299ba5237ac

        • C:\SysDrvNM\devoptisys.exe

          Filesize

          2.6MB

          MD5

          74ed46df2ccf3d1b75e4d3b67a539492

          SHA1

          7b490d1225b8b3a924de6a67f6b8191544fe0f6a

          SHA256

          759fd8effc718d28a42ac255b4b4f66d5e7e2fc67173c688601929393931defc

          SHA512

          ed23b0219ffbfc48612c5580fa64d97b9a9bdeb86f600b02cd529d5d597d4878e7b2667cc92e31811617d685fce56f9173e613da4803da703583f4ecdeefc31b

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          96252d91e9553bf99cc252eea203ab23

          SHA1

          2d5adff41c57bdea337e0b1d1bd68c9c179fe6cd

          SHA256

          3e6653869c0f6b58bb0859e964666b8dad8ba56578251653ce15b0c2aaf45518

          SHA512

          bcc3e6cf1948f4f2ff65b8feda5d9850c47e845b49fac201db843763b650806a1ae19e5cc97f902947e703d8bed81b3d552fe683375602d57e90a69ad84d0eef

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          730b79f68cb8da026309af1dee9f27e2

          SHA1

          22df0fefc3166d75de33c1f6294bcad6ba95321f

          SHA256

          45dcbbdd0b52e42e0ffdb6911f50fc3b411e1f86af8130ed8ad6d6fb61db96de

          SHA512

          ed9e16afd5a3356e41a84950074f26c6f2e3a8d8486f58671ba76467ea951029d4a9ff682f451f508d6cc317cd228902eeed0ed685a7127cd25425d5c19ef60c

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          acd3ee7536df6a9951a78c4ca62417a8

          SHA1

          cea9df8dfb005d4a0df1bcbe47f3a63d99707bbb

          SHA256

          f8fdb440f4064f7863d55aba585597d8d7057c2d884e559681df276b79fa610c

          SHA512

          5245ca1cc43cf9a4baa3c40de698c608b9b55d3f3231e1f5cf4bc3356c4261d1854dd61e408e069449a6d13b3c383a55b46863aed94a12d22954c1865a56c477