Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:40

General

  • Target

    adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe

  • Size

    2.6MB

  • MD5

    0bb6856eb3a00807c6d2b7b08fea245f

  • SHA1

    873b6af8a3c21721956b73e407c39128fdf9172a

  • SHA256

    adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149

  • SHA512

    45eeb5e6e597299d6f1fe449529cde217ad194131db13fbfd139a89901908bb1382af46c3b48a015fb74377e37b91fd773e8beeccd56352ba412ebc92720a7c9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpwb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe
    "C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912
    • C:\UserDot01\devbodloc.exe
      C:\UserDot01\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVB7Y\bodxec.exe

    Filesize

    2.6MB

    MD5

    2ed4aa2646617bb3f5bc199f9a7eda0c

    SHA1

    1f67bdf10ead3dbbd84115f902585780f466aee3

    SHA256

    db85ab88ede829a146298e872bd0d8fb4c03f766b8c03fd9b512d1ac5c92ed16

    SHA512

    a4cc4e9525e4bd82f251f7bfdefa4c224576f657c71dd875b3e623c60aaca685c683c93d5c302bb87beda296c5785bf7e0e3ec6cdfbd2a5b45c2a64489e03447

  • C:\KaVB7Y\bodxec.exe

    Filesize

    2.6MB

    MD5

    d1856b552e335e1122732e31add53786

    SHA1

    9b0b15dde0ae25ed17bb829451efd1dff6aea5b1

    SHA256

    ee3a0bb9562401e1cdf70dc5a000bf3dcac61792bfcbd047bce2e1db7465b4ff

    SHA512

    e12ddb0974005bcb2238b67f621c2b9d976910651256d201e539be146d668d7e4fccf78e790386c92001ac3ed579575cd042d534e2a451e4079e4156556c6775

  • C:\UserDot01\devbodloc.exe

    Filesize

    2.6MB

    MD5

    d280113c5053c235b7bba6751fb8b5f0

    SHA1

    0e6cd2785d1aa8cda1c7c6d5acbc877595ca0cc0

    SHA256

    3c40048c5b8527f20a3fc74a707aa7cf92f0ee3611b5c34c14b2526f6e4f9fd5

    SHA512

    b7ac8cea1b85dca8fa6ee90b0ea99a0d7d863aad49305756c2cf61d96ba0a57b5d52c994a4cf7924b9f9f5873caab24948c79d05d29d529d78ff84632ccc9001

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    e4a33d16356a3301cee5778e4d4c5a42

    SHA1

    93d88a4ec03ce3c30b38e6e1620b77e908d59870

    SHA256

    ccdbf3f24f732f807908dff14fec2bce60f282e9349c73ee0369b17c459e50df

    SHA512

    69ded3c78aa0734687372aa41d9b2138c21659ae98aff4cc56b4029256664d95c98db9c54e8614a8e4943b639c2066da39c399c09165920a7a04f814b38d67fe

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    8eba4d10ca24df5a52593393fcc65e51

    SHA1

    08ed4b893f38e469f66b1f072db1206b2ffb29bb

    SHA256

    d8f6b7e11176c5558fae481ff61bd9c2b73753945b7379c7ca995f3504a48474

    SHA512

    67d6092fba249009973c7dee2b8c813d44366d3a01bcd8a3cc3852fbefa45dd793424d8f6b0201806c488150d88890caf28701f14a56d360a603ed6a9e804950

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    00ab11048e07e6b3043a2c56dfa85fc7

    SHA1

    0243ca0850b8ab231953f61820e4e6cf88dd424f

    SHA256

    c7806b4614d106572703c23fadc2ef1bf88b348365304c27c5c78079ff7aaba8

    SHA512

    17a5241fe7c2b233d7036f7a3f3b79872d4c42bf303c65e3dc67dcfe4d49a5dc10a09b5e33df5f169914fa4e6bf84217e75ce906e86288b88587cb04f0206e60