Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:16

General

  • Target

    904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe

  • Size

    2.6MB

  • MD5

    4ecf927a8c12c4d60767427b6b9111f0

  • SHA1

    2933bd81f9cc63cf5518db0c9dde7a7993d7d7bf

  • SHA256

    904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcf

  • SHA512

    d32326242a1291482c3f25a66f98640f31e04f7e1e9fb18ebcf77615ed00805d733a2e565d54bf0b6509e9274fc0f98978f04520423bc61ec0e7fd7d82d0747a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpGbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe
    "C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3448
    • C:\Intelproc4X\adobloc.exe
      C:\Intelproc4X\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc4X\adobloc.exe

    Filesize

    2.6MB

    MD5

    6f1ff0d2d096ae4842d2b69bf1ce2a21

    SHA1

    9fc3c1aaad44c01b9b0bae3b479cc35c2239d9fc

    SHA256

    2556aeb88ea8c5c1e04ce755c136f6630d517ada3210fd1d7db0ae2e005dae45

    SHA512

    4ac8f0e846c1c744536e5fe9858768797fe573d3074b4f380bca9f6cecb1815251e931a4ab946853b71ee460618ea8bf3dac651fe8f4ceadbddc2c7f2d739611

  • C:\KaVBC9\bodaec.exe

    Filesize

    3KB

    MD5

    b85ef880820ad2f02706b10170e533fb

    SHA1

    71378239fb161e35c8f79d7a951d7d09d4f45b33

    SHA256

    824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78

    SHA512

    f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3

  • C:\KaVBC9\bodaec.exe

    Filesize

    202KB

    MD5

    f4680eb1f15a20b303fe8bf5487d4fb6

    SHA1

    894249b35def4fea40aa3ee62aadf36676366a16

    SHA256

    d7f08c7c904af30e72a91fe6ac96fa50c8cd9a28678e6013a172752f1c2b37e5

    SHA512

    529ca9b99a64e91b6940b160d1f303f9e8ab42790784c4f342c32db0549d1d0c5f3ab04893d064d1b839bea4ef44aa35a5d1c5b368284f1bb12820c805913a4c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    f8ab6d8faf85ee56838f737e91d39fc7

    SHA1

    7e06cead2ff139961875dc7ffaa17faf78426905

    SHA256

    44ab223fd74758dd23b5a1694f1191040fdc8d664d611ec67ec11c48813dffca

    SHA512

    ed9cff55984dc9c99cf194da98ef236457480be4ca94f97714a78af1a932b05c5d1eb9c2ec4294181158d8a2cfb9da0e73f203e378839efd306013ddf495cff1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    b2b1c316e726793f9019748527d2bbfd

    SHA1

    e71bc8817d9e59d6e8a46cda70c2c8a7e9d9b949

    SHA256

    13670891a0d80dbea94274b8b3558d50650bd84fe6e01f049ad57e473204f480

    SHA512

    1aa5318b9b19e9851ab3484fec254b0aff1dcb0a89431c1c73b22f82cc36793e7b4b7ba4a73a8298a4ca838abb5f6ca1e3909e2897d6e5097d31ac9c1e22dda1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    4129f842e4774654cbf876304d32990c

    SHA1

    4a1023185d9bd2e65a57658531d89af71c5dfd83

    SHA256

    01dcb93fa1a596fc866046f4217a4a094d99130617092e6c5d0bf80ed7af8c34

    SHA512

    143ba8d18d69f758f8376aab4daa88b9dd92ed289d939c67ecd234144af6e137fdca582e70ea64acb1f1ecacd97c6aefbcaa14eba13efd369e61420e0437e006