Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:08

General

  • Target

    88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe

  • Size

    2.6MB

  • MD5

    23d0af67dfe646f9e6e097a3acfa9496

  • SHA1

    9de285012d4eecad61214f49f0d85f0908196631

  • SHA256

    88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626

  • SHA512

    a80122dc354010325dce2a93abf27e6d9b40ddca1e1ddde96dfe1cd58e71e3e33fe1a00313eac94c478da1ec18fa30219b124e21600a73de1aeb06694c43c5c3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSA:sxX7QnxrloE5dpUppbR

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
    "C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2812
    • C:\Adobe7M\xbodsys.exe
      C:\Adobe7M\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2204

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe7M\xbodsys.exe

          Filesize

          2.6MB

          MD5

          ef0f638f6fd6048700a39f1329346d8c

          SHA1

          4314421c1828e056da3082f870fb41b17d0c9639

          SHA256

          6126175486c8e7abd7395b934d59abfa03ff18beaaae0bc9b1c971043ae1fcc3

          SHA512

          f38ec4df8a818846c9c8cce5754d5fff2c59cd23d7a17d74cbc173f302cc43bf87dee057b31561cf6b5d83079de0d91092dc5108d9ba8283bd3600f9567bb51c

        • C:\KaVBH2\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          3f52b1ae4b7529887b4db28b9f5b79a7

          SHA1

          9f35439dd3b3d01173f579ae325137975feef39b

          SHA256

          7a7f328a31b6a4ab42fc20ccc3a904a4795f99a2e29cb2e2837125706513d0cc

          SHA512

          7e6d19ebe93e048ff3c186ec08246dad50c8d7a8dce4d9b923e91a2ec5c2a44b030f1ecc47e14fabe68df1fbb8e3cb12d4c11047bf6bb18ebea73704f400ef81

        • C:\KaVBH2\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          c59417404731b98ae63cb288bf098027

          SHA1

          c77f55b8e5078a62b266fce73a067eaa05af8207

          SHA256

          39862a44300951a4306713382a74d6b4f4144c03b37a9b11cf0a9f3c433522d5

          SHA512

          e00537a6401e176d81222c6d796ece38b0e82b606da6b56e94df98911f373370eaa431947c70c6bfad915347f80c520f244bc45114eec76a2f5bb9d49a87e191

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          2bc20f384040ff6141eb24c813a8b134

          SHA1

          79361c4432552fbe122fdf2b8a8b5999c5aafa7a

          SHA256

          6aa8d6a17aa1e85742f7cc8575877d399db701db53ce2781c3fe6685bbaf6527

          SHA512

          8292605aa10f91e5ebb6c3dc29b8f89eee52e5e77a0a4737f66d1046930f5593f801a82202545708cb372c98bf5bcf946d81b9b65fd0d07b9f5d0ebce228e62f

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          628a7263d740617330f1d8658e3b9b9b

          SHA1

          ececc80e0cae421839ad9af67b077a13a2bb089a

          SHA256

          24cbb48f6f5a1f2df513d4ec945b9cff2fbf70d7c1c937fa77ccd2469f121fcd

          SHA512

          5a85a13857102d61dccd9a2d986c58127e3a04416f20209a04135b7b9fe44f197271928c7c22134c000cbd0221995e6ef12660e21aa5879640aef705905c935c

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

          Filesize

          2.6MB

          MD5

          dcaa1567e67b55277721aa9dee1d1912

          SHA1

          0892a1aab51db8da5422c227f583098fb95c4d13

          SHA256

          c8656736f4118d1803f1143a1da0d1240e12f56b3c9afe1721a06c2487f1431e

          SHA512

          9526654060adfe6b61b19a3f4ad24b5064f2016048f559189a108b543222aecfe3ad0e031b4d72fb1d1cea00e44e5c23505fc928e19f18a2f6e1c9d6d6b48f2d