Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:55

General

  • Target

    2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe

  • Size

    2.6MB

  • MD5

    757fd4a96075124bd1bfe506f6fff955

  • SHA1

    c035eeb5e726d7515b76a17431c63e83868bc627

  • SHA256

    2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7

  • SHA512

    fdd75ea3a80a8eceb66da72918976c57d29b8b9c015fa212fc5041b23e54e96a8dc239dcf04a6af82332ceac6e8854eaed02581b79ea5fc7bab580f0388ab6bd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
    "C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1312
    • C:\IntelprocGS\xdobsys.exe
      C:\IntelprocGS\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2036

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocGS\xdobsys.exe

          Filesize

          2.6MB

          MD5

          001678ed2caaac502a1f43861a7bb520

          SHA1

          c4be4dbcc56ddeb94f2a9d0cf8a708fbf65b2250

          SHA256

          0daafb97a99c5963cd974669d23ad9ffc66baf93352389b7ee855dc7f7d2e803

          SHA512

          932e61d89afe43b28a6d7cfeb844d21934bc83351c712ed8331c4742803ac3da9aa355ab271bbc65435ca72a3a8328b18a14c45ba4893a14da26e24d503c7bf8

        • C:\MintVO\optidevsys.exe

          Filesize

          2.6MB

          MD5

          005d7f2bdadad253ebb2a009399b3c7c

          SHA1

          bfd1ee4b9fcb7b8c3cd75e90c01e51e4760da6b8

          SHA256

          eb038adbffbbccf217928a650d6d1157b3a596b673e0945802d9e691331ebbf0

          SHA512

          b6b762d5b61e1c5de05cd69d78266c4da54201e1ee3adfe26999c0b888e22d7a4aca856625d153711dbce0b286402e5a082e6db0ad532371932951a28665737f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          208B

          MD5

          cedb5fb349ceff525093d516e99e0e80

          SHA1

          d938e3768051e563fe5dc21854af479062790b0a

          SHA256

          8b2e49c7bfb8988a95a03c4f89b861867ef38ad64a5228c3b279aeb1641df1d8

          SHA512

          43c9832f93f33e93574e5916b1553327b44647adbb271f409e680095677533e3325b270dab5aa44fd5b999c5acf4c2cb36e1f85b58c8550837e06ec781bdd7de

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          176B

          MD5

          10209582701a00f1eb4d6571a2d9c8a0

          SHA1

          37b71138880a48e7b4fb1878806cda7a84e206ed

          SHA256

          cc6c92045f3e5232fb6a423fa9f6081b1d890e5e685347d2f550af573cd2209c

          SHA512

          1ea37b95a99ab790f6dd2a4bce73ea9808f4b4bbfc8fc643591f221f4484c3286b0b22b857a513f66dac0fd39065a51369a25523bd7d8582b3d3e09a57fad6a4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          06c5f346610ca58f13c614d7c3dc7763

          SHA1

          7a4174e2ee7677fbf52bde20cd992812e2217d6e

          SHA256

          10af2c834476d33b9928aec51f876d2366d46d3e27a99a842bdd0b3ad9e18e63

          SHA512

          32a7e4021b183e29ead8b4ae12a0cee7eff36a3689010b27d4cf6200c9bc306affe093d060dad3b20bbb37543a99a24612469eae0f61a7489feff6da644c5d1f