Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:04

General

  • Target

    63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe

  • Size

    2.6MB

  • MD5

    3e8d70a4fb9d4311e9399dc20cbffe51

  • SHA1

    14c00f90eb01c6b534e4f8add39293875d11c8f1

  • SHA256

    63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f

  • SHA512

    29c9fbb7e6b213eefa51cdc6e3d03592045aff956cbfba22df84fb52fcb60156acd8c5e7e0e94d95defbb5cfa92e972ff0d94bed0b3eece78b33ebc2186de9b4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUphb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
    "C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2368
    • C:\AdobeSG\devoptiloc.exe
      C:\AdobeSG\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:296

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeSG\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          d5d8c51b2fde8a110cda09c14c77cb92

          SHA1

          074015d597c2f59ddcfd8c68421f1e53a5ce68ff

          SHA256

          f3065b774b89b5ab34ae32feab7549c491dac36e923f375172dd78da2a4c6ae6

          SHA512

          cb62bc421c9897e5ae0da4fee097c3c76ebfa252beb3c0bcd20386dc5409ee5e1cb77d9e4e5fadcbbd19b424abd75d31cece919eca22470591626706a44dd4c6

        • C:\MintBR\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          e0c7863a3f3d9b89e39b3713a7a24f1f

          SHA1

          afcf273b40c4fad21d8db58cc9281afcfdcbb756

          SHA256

          e5502dc0c28c3f4a460af1cd2726d1764f403d9c615d9ab94a2d959de085846b

          SHA512

          49b2efceae3bea21d42dbbecb688121ca5dc89f0564bb00c52672987d1737b6d94179672620c799e3c7c18414b0e3d8029369d4f16cea1107dbec7baa1618437

        • C:\MintBR\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          f1aa967e87f59b6b6f57dace67a352ab

          SHA1

          1c95c5481ade9f57ac03e4c115ac3cfe83301cd9

          SHA256

          9468e3a56ecb8f9f050bf1e338d1c5cf3c29374a825335de73871e6b4a16ff50

          SHA512

          fc28831ae142841d0c430fed5bff8e2540fe9521ec1a9b0512ec8da60bbcc7fa9c81712149102946e414616fcef99d27aae37ea640eb159bb1cc348522c1468b

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          cac17bcafc887d5bc5508b5eab8f57a7

          SHA1

          9b003a9e3f7a5a2612fe5c1a6509d06ae63f23cf

          SHA256

          8f95ee50eb5662b1707ad6a13613df58b452a1f7286c60d4a068c64f8934e925

          SHA512

          f080b0f963930f733cb04dd44eccb4034b08345b801601abfe4b745c7c30cb7684c5006033e909338a144774830448c21eb45812b5e0f3ab13d87ef34c795daf

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          95ef975e41c91f9eac483d77b6b3938d

          SHA1

          ad9852caaee53c6b24f08ec9140b88e821faea3a

          SHA256

          e700ca62442fd70ba3dae1955a9ca3a7e69e7247aa2c714f8bc7c75eb2a202ac

          SHA512

          a2cee6e314bfa848e576a5e32fdbd46bf4659dc62c26b9973e87ed268bbb44308fe56e33c3613b1d132dcd0a113e9b49d565560365fae6b9a3fda0a9a8a28f6b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

          Filesize

          2.6MB

          MD5

          1cfe43a3090e04b65bdccfde99cfa8ba

          SHA1

          0e2b41c8bbb3165723f5c4ac10504bfa765baf6e

          SHA256

          4761f6cd6acd7e6285574cd75fdaa49369f092621006171b71e228b23ff1ef8e

          SHA512

          7f9ef4e0045be189233f6e2465879bdce3188ac6a25d1346f523743fe4a0330c65c27e32ac12275c15949bd81a6560f8fe7d1808350d8fa97a2fe6e4be014111