Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe
Resource
win10v2004-20241007-en
General
-
Target
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe
-
Size
2.6MB
-
MD5
0bb6856eb3a00807c6d2b7b08fea245f
-
SHA1
873b6af8a3c21721956b73e407c39128fdf9172a
-
SHA256
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149
-
SHA512
45eeb5e6e597299d6f1fe449529cde217ad194131db13fbfd139a89901908bb1382af46c3b48a015fb74377e37b91fd773e8beeccd56352ba412ebc92720a7c9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpwb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevopti.exedevbodloc.exepid process 2912 ecdevopti.exe 4208 devbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7Y\\bodxec.exe" adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot01\\devbodloc.exe" adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exeecdevopti.exedevbodloc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exeecdevopti.exedevbodloc.exepid process 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe 2912 ecdevopti.exe 2912 ecdevopti.exe 4208 devbodloc.exe 4208 devbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exedescription pid process target process PID 1084 wrote to memory of 2912 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe ecdevopti.exe PID 1084 wrote to memory of 2912 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe ecdevopti.exe PID 1084 wrote to memory of 2912 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe ecdevopti.exe PID 1084 wrote to memory of 4208 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe devbodloc.exe PID 1084 wrote to memory of 4208 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe devbodloc.exe PID 1084 wrote to memory of 4208 1084 adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe devbodloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe"C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912 -
C:\UserDot01\devbodloc.exeC:\UserDot01\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52ed4aa2646617bb3f5bc199f9a7eda0c
SHA11f67bdf10ead3dbbd84115f902585780f466aee3
SHA256db85ab88ede829a146298e872bd0d8fb4c03f766b8c03fd9b512d1ac5c92ed16
SHA512a4cc4e9525e4bd82f251f7bfdefa4c224576f657c71dd875b3e623c60aaca685c683c93d5c302bb87beda296c5785bf7e0e3ec6cdfbd2a5b45c2a64489e03447
-
Filesize
2.6MB
MD5d1856b552e335e1122732e31add53786
SHA19b0b15dde0ae25ed17bb829451efd1dff6aea5b1
SHA256ee3a0bb9562401e1cdf70dc5a000bf3dcac61792bfcbd047bce2e1db7465b4ff
SHA512e12ddb0974005bcb2238b67f621c2b9d976910651256d201e539be146d668d7e4fccf78e790386c92001ac3ed579575cd042d534e2a451e4079e4156556c6775
-
Filesize
2.6MB
MD5d280113c5053c235b7bba6751fb8b5f0
SHA10e6cd2785d1aa8cda1c7c6d5acbc877595ca0cc0
SHA2563c40048c5b8527f20a3fc74a707aa7cf92f0ee3611b5c34c14b2526f6e4f9fd5
SHA512b7ac8cea1b85dca8fa6ee90b0ea99a0d7d863aad49305756c2cf61d96ba0a57b5d52c994a4cf7924b9f9f5873caab24948c79d05d29d529d78ff84632ccc9001
-
Filesize
205B
MD5e4a33d16356a3301cee5778e4d4c5a42
SHA193d88a4ec03ce3c30b38e6e1620b77e908d59870
SHA256ccdbf3f24f732f807908dff14fec2bce60f282e9349c73ee0369b17c459e50df
SHA51269ded3c78aa0734687372aa41d9b2138c21659ae98aff4cc56b4029256664d95c98db9c54e8614a8e4943b639c2066da39c399c09165920a7a04f814b38d67fe
-
Filesize
173B
MD58eba4d10ca24df5a52593393fcc65e51
SHA108ed4b893f38e469f66b1f072db1206b2ffb29bb
SHA256d8f6b7e11176c5558fae481ff61bd9c2b73753945b7379c7ca995f3504a48474
SHA51267d6092fba249009973c7dee2b8c813d44366d3a01bcd8a3cc3852fbefa45dd793424d8f6b0201806c488150d88890caf28701f14a56d360a603ed6a9e804950
-
Filesize
2.6MB
MD500ab11048e07e6b3043a2c56dfa85fc7
SHA10243ca0850b8ab231953f61820e4e6cf88dd424f
SHA256c7806b4614d106572703c23fadc2ef1bf88b348365304c27c5c78079ff7aaba8
SHA51217a5241fe7c2b233d7036f7a3f3b79872d4c42bf303c65e3dc67dcfe4d49a5dc10a09b5e33df5f169914fa4e6bf84217e75ce906e86288b88587cb04f0206e60