Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
Resource
win10v2004-20241007-en
General
-
Target
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
-
Size
2.6MB
-
MD5
2e47363aafdf52a77e53e93942f5cff0
-
SHA1
7ecd9a116d4e5e7b3c5d4342a05984e86c777bd2
-
SHA256
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7b
-
SHA512
0a0c086e1bb060fb85c6b75befb53710db13a8eb54d5587444b18dc6d8e1122dad733c91b6c4200e4c4bb1f75166434bcc09736e0efda3a01326549bd55fa4bf
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUp6b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe -
Executes dropped EXE 2 IoCs
pid Process 4408 ecadob.exe 2408 devdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOP\\devdobsys.exe" 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintMR\\bodxec.exe" 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe 4408 ecadob.exe 4408 ecadob.exe 2408 devdobsys.exe 2408 devdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3184 wrote to memory of 4408 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 86 PID 3184 wrote to memory of 4408 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 86 PID 3184 wrote to memory of 4408 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 86 PID 3184 wrote to memory of 2408 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 89 PID 3184 wrote to memory of 2408 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 89 PID 3184 wrote to memory of 2408 3184 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe"C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
-
C:\FilesOP\devdobsys.exeC:\FilesOP\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b5ce79180961884259e1c1466500358e
SHA108088d284a19c038201131db4e8c4325ed7a0c3c
SHA256bcf2177cd1e4d890569ff4acb622c8672e6399cea88ec78e9fc416cd4e969596
SHA5127b4296df27d6a162a11cb930a353f2c88b9a543162cca2fe78cf59a92a59f8a29644a9dcd8972c92904c18bf06c5ac3199c99d001492db534836ddbeed7e9d72
-
Filesize
492KB
MD55460b10c42b06e262412fc3e28bc22ec
SHA1293983cb6589fb09095e36026a8b83e08a005391
SHA2568b5ce7ffa24e877429ef276eb2d9700eb12ccf478560a35a998ec5c0ec97522a
SHA51208a31e3d00c6c398e3b1468e024fe769c128129c510bf226ef2d306b7123844e3dc77b234b498bf5f6922cc9b4818e578dec1fd4ee858cda5d2a5ab5b21dda14
-
Filesize
2.6MB
MD597b873cbaa5481c8bb8ac61ca22ef18a
SHA18c70f3deef9bc063e352ab311dbac0c61c27cbd2
SHA256ffe0382174eb399e8a26d888d833a5f386e180ca9be6e4d67985914057ad78f4
SHA51295821acc431b96a77c0fd070f9e34cb1b119c805f2cd312d615fbcf7e951094d48e8a9ea35a3f1097137909af38a73a4cf3673cbb1b860383d8ffddb964ee042
-
Filesize
200B
MD5b9bb07f9928c63d7e7cae7c90799d3d1
SHA141ffd2866d076666d5db0e7bc450cfc40072ba08
SHA256b775dbe2a2b1e9584f099743463f22f83e35b3a0fc09886ac089f6c3d4b75487
SHA5126a03cbb5a6c7f08f47316b82c33960e2e75f1d61f83ed014c5fb6ea9ca3e825c4bd5a92b29bd0fff95a3f4f431f5ca7abd2a049e5691f5376613e7684b74ae75
-
Filesize
168B
MD5c91740359f094806ca93e94e5a61d1f3
SHA192d963c136b9e0d5d5f94c7052c7c32dcf4c2983
SHA256c80739766545d3bf3f8f7dc30ae6d374a0de98c2def63ef3f620db671ff77cfe
SHA512b2723cab9aefef97c64562d237b4fcbc41d28d3fbfdaba96cbca0040f9ac884929bd470ea657d9ff5fbc419788c539cdede8751a4a68d96656a0410ae6e03812
-
Filesize
2.6MB
MD56b97322d9323b343e6d5e57bcb0cd4e2
SHA1b6686b7ced772a086e1619be36633f021f849a3c
SHA256dfd5e5b355af91e52a163672994836cd90ab910e0cde57325adc638a98ab36b1
SHA51258af4eee3e4898513d6ceea4e291a8b877f314b481ed6d83064bf2e1aaca7cbd8531610d95f61b2284330d6e50db8896bb7fa88f0fa1e2cd24d648a847673d32