Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:14

General

  • Target

    595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe

  • Size

    2.6MB

  • MD5

    f3b41a7c2f796c16919a93e2fce98790

  • SHA1

    b4d93dd38d255dc20f209a20e87814bc6121a151

  • SHA256

    595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550

  • SHA512

    efb2351ab78d032e4baf49560ead450800e33cae803cfcdce6c7a1260b8624cdf0579752969d722a3dc2fb5122a04bf914da76a1fcf4d63b15c138c8d25e2864

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpyb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe
    "C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2172
    • C:\SysDrv9J\devdobloc.exe
      C:\SysDrv9J\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrv9J\devdobloc.exe

    Filesize

    640KB

    MD5

    3b85c7d1d87bd61bc355d564e7d28a11

    SHA1

    069dea6339d9156e51bbe949df23a11cf85b459d

    SHA256

    e673e7fe7d2982ec7973d85dc62708363e7c959a34761583e1ac733bbb01000f

    SHA512

    b848c0acb6ebac2681b917bc893f4e80ded401be7b1a0d8449754ba1c79f7a5649802a79c8b5c6b4d1393700f02a2686759146d5556566ca0fd3126091826f12

  • C:\SysDrv9J\devdobloc.exe

    Filesize

    2.6MB

    MD5

    5a14429f6f9332a9cb17ae8ee89f899e

    SHA1

    17cb832c683a84d19aab6aed186b19b01e5e1727

    SHA256

    95bcb5d6fb87379401c078fc1c287034f020d1214b1e2a48f5763691213e323f

    SHA512

    1a2602cff8558457d3a1fbe5ece55af9178880f32f28fd482186132e3b6f1d6dfd847ac4a5b51ef8c409b0b28a0512be86dcc0f9b0cf1fd869f3ae7833564d9b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    6cc69532a102f2c8342dae3bfd9ee562

    SHA1

    54d340de218524864c907f29eb5936d7e7f9cd5c

    SHA256

    81514a65e80470e37a95d9b167418848c97a884e1a84c93a78083a857da43cfd

    SHA512

    be205228c2db32efbd7fbdaa49e533b497913a1d5d0b048e9ca6712eb8a65079cd9d49a9eb8a7312515ff93de6912eee4a149d420ce3fd8412c20ba9c7d0e55d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    4ef96f952be270ca00fd44f48dd0ab3f

    SHA1

    5c3dc1ab4ab02bf1d95fa07d197f82243d8fedd4

    SHA256

    2c78bfd3a71423d5f80bccd94775472e5c53741524be2bc00145d3a240ea1017

    SHA512

    b0dcf07a7a469ed43c09d43c7cdf1b1d80601faa102f5d877dca56e00e5527bf7a23e053fe0d767544db41f93f4a01d1fc3731693507dc7d1a6f59e6c0d06050

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    676a9da3e628df7ef37297546397f36c

    SHA1

    9a4277f22a950acb1a6472a9149d465dc700fff9

    SHA256

    4df0aa091f8733ee74c8658fe8656ca8c290f6afe57fa6277119607d841bc535

    SHA512

    431b52263d65f9cfbbf383681759eb28362f518b11688a53c19a5597a7b156049551eb82950ef3949ca698f1d9a2b616a16f019faf902907cbe0fabddca9dad5

  • C:\Vid6P\optiasys.exe

    Filesize

    2.6MB

    MD5

    49a61cb719df93e50060a9a1f7fd2d14

    SHA1

    e5657b05b2574f6043ba62c14964f56447dd6358

    SHA256

    27054f80461734dd09c27185eb74641448c1d544d8eb55eacec793612c0977af

    SHA512

    36649cb784bd6558d3b2fe70bd69666b4eb312199da54218abdf0857504770f1a693da9420f8d89506cb85d7c5d97c67178cba4a97182c2d5158074f2b071a68

  • C:\Vid6P\optiasys.exe

    Filesize

    194KB

    MD5

    efe6ddf93ef9c1ab381cd11e65df79fc

    SHA1

    ca26625c07cb87f3761a181e92d76c22bffba378

    SHA256

    d264d8062e689be0dc29433caee9e72a90098e97d05517f8a9af5bf0b11669e9

    SHA512

    9cc6e3328f92641a59cc8caa08d85ad57daf343d81b0194b70b0c795d0ec88350607c7137f9c4ea245cd251a23f9159fa5cbfc2aa0d798b77cc63c8981f04ba6