Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:40

General

  • Target

    adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe

  • Size

    2.6MB

  • MD5

    0bb6856eb3a00807c6d2b7b08fea245f

  • SHA1

    873b6af8a3c21721956b73e407c39128fdf9172a

  • SHA256

    adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149

  • SHA512

    45eeb5e6e597299d6f1fe449529cde217ad194131db13fbfd139a89901908bb1382af46c3b48a015fb74377e37b91fd773e8beeccd56352ba412ebc92720a7c9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpwb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe
    "C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2772
    • C:\Adobe0W\devoptiec.exe
      C:\Adobe0W\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe0W\devoptiec.exe

    Filesize

    2.6MB

    MD5

    952a69b0cf05ea7769a22fe20e9c0273

    SHA1

    aa134d4f925692548329f2634c86285fd6ed4fc6

    SHA256

    3c998585056ea30251cb20005cd8e5a4c6087545857bd07ece7aabaa8ffebf31

    SHA512

    162177be5064d30cac9185aa43a1c5490a99a258456f2ef4883a8b36ca6565eb28abf6be2da2ed74a71b8e54c0c6319730e73fb251d29496ea41011fd489a9f9

  • C:\KaVBUF\dobdevec.exe

    Filesize

    2.6MB

    MD5

    dd579b5c4e5faf4f020b6bffc07f20ff

    SHA1

    85c2a2424c729c1528cd69bda7590e7fb45a0f06

    SHA256

    4b28a1d2644754b460a8d71600c924f1e9801c43c9220f4bd08dbab52385ad5d

    SHA512

    f27e0c45250435dfa03617b76383a55ca55bb292e6e3b4aea75907ccd1b8d8dec6e0c65f93a5c435571096c5240a1eb6077fe63d52d402d1c680b6becb026372

  • C:\KaVBUF\dobdevec.exe

    Filesize

    2.6MB

    MD5

    ac65d1e7f770f82f011453f3b30548ab

    SHA1

    8886bfaa320f088e548f85de79672593257e6ab4

    SHA256

    0b0637aba764434390e131d2fe464ed39db034730fa7e7f2c118b9d40e01e027

    SHA512

    e9e6fe1e99dd94cb7b8e44f8524f917e84a1e3a7f2d617b3d5281139e1db2a642c0aec3b883874eb4cf85c05120769523b65ca1d0421f878adcca8f05541340d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    03da581fdcb555a312b7f65d9892de16

    SHA1

    ed0507ecb47243ef1d97bcc3b970b87a08051510

    SHA256

    57126409dd78902b2c84b4069b47c577fc02407ba498322ec13d899ba77c3554

    SHA512

    2bf173b37ab2efdf4dd53356ba06489e549d81fba25faf78e538a185cbc58bee99f61210e997cbac56712bf1ff17509865c5083eade825f1e17b0df5e6ff39c1

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    58ca626b602baf24a71e993638ec0f15

    SHA1

    fcf517798541bc6025beff048e1ac596e603bb74

    SHA256

    3cd1df1975da49134c19659e168fc4f3681861739cac0f603dfe6857c3695725

    SHA512

    df363d68de7a2159da4ee77e79c020c2cffe5acad373d27dc0ae442941e3f71881dc00c076a165b2b533f14b8384a517fa8f538bff2b4d058c4071a614822075

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    e462be43d49d3df2b11c155d75a5fcf0

    SHA1

    951a8105fa8f9a009be41e4eb8837a15d700f438

    SHA256

    9a81c195d2f67fa87858bed62bdc26d9e3cab1951c11db11b506452953f67fb4

    SHA512

    45523cbb045eabeba0d363465db94116398b2c856eee7ec4ada1e4461621fbc85a3d82461ad4a9bfa51e0d6df2a012c911b5bcc361cf87c0c3213960d1905806