Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:24

General

  • Target

    233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe

  • Size

    2.6MB

  • MD5

    2e47363aafdf52a77e53e93942f5cff0

  • SHA1

    7ecd9a116d4e5e7b3c5d4342a05984e86c777bd2

  • SHA256

    233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7b

  • SHA512

    0a0c086e1bb060fb85c6b75befb53710db13a8eb54d5587444b18dc6d8e1122dad733c91b6c4200e4c4bb1f75166434bcc09736e0efda3a01326549bd55fa4bf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUp6b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
    "C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4408
    • C:\FilesOP\devdobsys.exe
      C:\FilesOP\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2408

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesOP\devdobsys.exe

          Filesize

          2.6MB

          MD5

          b5ce79180961884259e1c1466500358e

          SHA1

          08088d284a19c038201131db4e8c4325ed7a0c3c

          SHA256

          bcf2177cd1e4d890569ff4acb622c8672e6399cea88ec78e9fc416cd4e969596

          SHA512

          7b4296df27d6a162a11cb930a353f2c88b9a543162cca2fe78cf59a92a59f8a29644a9dcd8972c92904c18bf06c5ac3199c99d001492db534836ddbeed7e9d72

        • C:\MintMR\bodxec.exe

          Filesize

          492KB

          MD5

          5460b10c42b06e262412fc3e28bc22ec

          SHA1

          293983cb6589fb09095e36026a8b83e08a005391

          SHA256

          8b5ce7ffa24e877429ef276eb2d9700eb12ccf478560a35a998ec5c0ec97522a

          SHA512

          08a31e3d00c6c398e3b1468e024fe769c128129c510bf226ef2d306b7123844e3dc77b234b498bf5f6922cc9b4818e578dec1fd4ee858cda5d2a5ab5b21dda14

        • C:\MintMR\bodxec.exe

          Filesize

          2.6MB

          MD5

          97b873cbaa5481c8bb8ac61ca22ef18a

          SHA1

          8c70f3deef9bc063e352ab311dbac0c61c27cbd2

          SHA256

          ffe0382174eb399e8a26d888d833a5f386e180ca9be6e4d67985914057ad78f4

          SHA512

          95821acc431b96a77c0fd070f9e34cb1b119c805f2cd312d615fbcf7e951094d48e8a9ea35a3f1097137909af38a73a4cf3673cbb1b860383d8ffddb964ee042

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          b9bb07f9928c63d7e7cae7c90799d3d1

          SHA1

          41ffd2866d076666d5db0e7bc450cfc40072ba08

          SHA256

          b775dbe2a2b1e9584f099743463f22f83e35b3a0fc09886ac089f6c3d4b75487

          SHA512

          6a03cbb5a6c7f08f47316b82c33960e2e75f1d61f83ed014c5fb6ea9ca3e825c4bd5a92b29bd0fff95a3f4f431f5ca7abd2a049e5691f5376613e7684b74ae75

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          c91740359f094806ca93e94e5a61d1f3

          SHA1

          92d963c136b9e0d5d5f94c7052c7c32dcf4c2983

          SHA256

          c80739766545d3bf3f8f7dc30ae6d374a0de98c2def63ef3f620db671ff77cfe

          SHA512

          b2723cab9aefef97c64562d237b4fcbc41d28d3fbfdaba96cbca0040f9ac884929bd470ea657d9ff5fbc419788c539cdede8751a4a68d96656a0410ae6e03812

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          6b97322d9323b343e6d5e57bcb0cd4e2

          SHA1

          b6686b7ced772a086e1619be36633f021f849a3c

          SHA256

          dfd5e5b355af91e52a163672994836cd90ab910e0cde57325adc638a98ab36b1

          SHA512

          58af4eee3e4898513d6ceea4e291a8b877f314b481ed6d83064bf2e1aaca7cbd8531610d95f61b2284330d6e50db8896bb7fa88f0fa1e2cd24d648a847673d32