Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 22:53

General

  • Target

    e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe

  • Size

    2.6MB

  • MD5

    99bb09ec08a756d69433b3d74452bb40

  • SHA1

    ff7b2379ab9fef415b751a26b37bcbcf75cfcc53

  • SHA256

    e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348

  • SHA512

    eb7d47e90f8f03aa3eca19735585fcfdb77746741543e0d40b7dce36f70447a1292e6fea0b9ced1b3fadcd4fa0c9b3697f8c6fb013611350fc2b82fbe8c8c140

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
    "C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2252
    • C:\IntelprocZ0\xbodloc.exe
      C:\IntelprocZ0\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocZ0\xbodloc.exe

          Filesize

          320KB

          MD5

          21c54beb83097ab82ef74c730e50fabd

          SHA1

          39f4b770534b562d4a9848a582e10badc9b1e01d

          SHA256

          fd5b82c1cc131c4c7d9c806e640bd95d5baa0df7adcd1462670d7c07114d6a51

          SHA512

          3c4e75c4fe85b198e5a4a89098b628f61981843eb543d7c5ed70a98a91b2d4cefa93a0701bf185e9ef55413bb0fed14b9af2595c86fc56d4a14f42327997cd94

        • C:\IntelprocZ0\xbodloc.exe

          Filesize

          2.6MB

          MD5

          b550e59e6acb8517fbc445c31b6346bb

          SHA1

          11bb85065e4c5ce5ed8d8bb2717ce3a1d80795e0

          SHA256

          992cad33ce6718ac397ef73d2484685cbbca6a07ef73600b4fa77bf1ca9c69a2

          SHA512

          15f0edf215477abb8c40d0a2c656d640581cab41f67bfac95ab18ccee1eba13ea46ab0241c5152a715ccf5a30ce4480cd70379edd096755965e94a57c684f540

        • C:\KaVBDG\optiaec.exe

          Filesize

          2.6MB

          MD5

          c13b94b59867a8bb3d2a528c78cb658e

          SHA1

          449b04c57357c29af83c46d408f20aabc367c734

          SHA256

          8f7f340b39217ca3a78d8d50c07cdc5b7dc29a0ad713dbbf1429720ff8ac78a2

          SHA512

          d8a2ff9e68e1f293090ad734c896e25c81c5dfaf511d116dd96d21b298461784887faa9c4547afa22fb97edcefcd0b23d23e16e8ad884b33eb4c874e415c97f9

        • C:\KaVBDG\optiaec.exe

          Filesize

          2.6MB

          MD5

          ba4e9e4d805d152e5205cf62a80efeaf

          SHA1

          aaa02a8ad588eba63e211885738663e34fae0ed2

          SHA256

          bef956ef1c2542d09c969e02f3901d1b59ef00e82c4d90da901b0570dac3380e

          SHA512

          85179a799eb187d617cbd99ac9f0f77a35fce3df6b1a4d956e7f17147cdf8507db121a5ba31fa19b3b58b914c48e6d8dbc7f6696b8a65c79a86c1fc933e036a4

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          ee3409effb682cef31f1272bcb7c2e8a

          SHA1

          4967a618d17d3c21898bf79aee6c609da2906a7f

          SHA256

          77ab83d6369f4e0c8489e5e78c2feb8de215580b666d46a1fb5f910e78e9bfc4

          SHA512

          e5c7598235acf0038eb5cae6f40799cc7dfb00668674befd03ddea0ecfbbf01f3aabb96b61edc86699ccdf8b1614b04c12f4f541df7e8e81862718526b59b19b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          b0c0aecdcb00dd07a5b517f5bd39b161

          SHA1

          e76129ffa52ba5dbef676a98111a38246989b03b

          SHA256

          49c711e4607e028d063517e502c7984b19374997682de083d68b9c56f699f1f8

          SHA512

          39d1743754dece3454cdfe7e3b35f0b0e65c1dbacdb7bd2cb56a4952c3a7f5d3a79ae56c572d1f2dd8c07a363fc66f6daa780917e2aa3f0435112c4233de0a9e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

          Filesize

          2.6MB

          MD5

          59ec889db8355036ab617b98af05fe3c

          SHA1

          460835db1f8a3a90f94e793eb00679b47ade5e28

          SHA256

          1430ba44d10868327474c48f46ec9cc23a474d07e2848ec35437882189623524

          SHA512

          c81f942fe1a3b18f946977907026f264b7d38a517e4fad72b826bfc9d9a578217e722c00266fef0c96221230d7dbb4cb78b6da4bf8bd6d7357ec8c9a059b40a5