Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:41

General

  • Target

    adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe

  • Size

    2.6MB

  • MD5

    d4a5cb207156f346c2cb2b2aa3bd6260

  • SHA1

    dc959d1342dd6048efcc3bad5a9289f9a913d695

  • SHA256

    adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335

  • SHA512

    766360b90bd0f15c6785f3b19a547b45d3e94028617396beb1f49da2220c78c95940630500568b57130ddef9f65c21f18632e44974eff8a958543ff2c2c09b1b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSq:sxX7QnxrloE5dpUptbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe
    "C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3276
    • C:\FilesZT\devdobloc.exe
      C:\FilesZT\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesZT\devdobloc.exe

    Filesize

    2.6MB

    MD5

    0aab4cc7a0f4b5f1e7eea38f4b0afaa9

    SHA1

    c3bba314ead38fa9c2df18ec9530235eb5b34d63

    SHA256

    334fc87481958a81795c1db2656027f94a618348ff02c5e3f1e3fcaa2730ec30

    SHA512

    141d11bff3f7b8d1dca219fea0897ebc32cc957a9fc1c19f3c715f39b49255e8dcd681c47cce504f5a3668a04ca6f23fa5e16e1acf41a3ac73e960f2b1c57089

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    9651d41196231bf96964db49aaab1c09

    SHA1

    c7c14f6c8c2873cc05e64806d51ab1d67c2d0583

    SHA256

    51d21e9ce1580a6cf3b104ba6982de60e1491ab753caab999ca5717d9db29fcd

    SHA512

    9efca22809bef33fe60e55b49647cb172ca5c07e0878544e7b86ee988e1b200d9387d9c7894c56622833b4158961d0ac954fa4aeca8803ba2c60050d88ae113f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    bf2d491e5b383a49ffaba18d2f9877a2

    SHA1

    fc843b4bfe9ef71e9d34cdd1fd869b37b88096ad

    SHA256

    131bed842082962b2532dc0738d11e3d3fff246080528a309072fe496809b54f

    SHA512

    2f554dfdece11efc9be1a5e6528991e8af4b3d821188dd3d1cddad2a8970ca79377c3c8657574752d88105c9738ee72a1707d4bc0803ef65e06776851a78bdd4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    db58bb8b79ec2ffe155c028bb74dca1a

    SHA1

    2098e7f0b41a47683123fcd4ad6a5b5cfecb01ee

    SHA256

    08c39f4db71c32abb28dc8240ff7505f6a5216f89218561ba2a2308b32e7d2d3

    SHA512

    87ddd1f7ee93e4d111dff67050d545d898dc23fda816af8630c42971c34d9423d98a6db7393e681d123f59cb927e4f1f873e443f00ced9d853ecc1e145a5f142

  • C:\VidPS\bodxsys.exe

    Filesize

    340KB

    MD5

    2875d101598bb9601397f40462f2ccc6

    SHA1

    ce1bbc2ad56c4a756bc891d7e962ab8d5961f0ae

    SHA256

    fbbaadda49a958eff1dd08d9e2202c027b9d05242c8a626a7bfd88c18c552193

    SHA512

    4bd01f6f044c1c4f80550f56005a50d251d89e1c83efe638b58f7a344bfa40329b64763f9b40c62639863d3d24c55f8e7e80117db42c0c5504d1564fc37b8002

  • C:\VidPS\bodxsys.exe

    Filesize

    2.6MB

    MD5

    323aff53b53546ecf54cd68758600a53

    SHA1

    3999f46d3060eb15ca5000d7cffe5f04c067b544

    SHA256

    5f6f1d46fa3519dd8b078c3f89471f06c08c6445180fe9911afa4bc32f91df3c

    SHA512

    7370bee0b605f749b12f7fe011190b02b38d91d968b94bf3d704888283483e5652e64ac0f1f30da98877ba4ea74b555fec157e4c0bb730b4f3324aa53a6ef0d2