Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:31

General

  • Target

    7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe

  • Size

    2.6MB

  • MD5

    04a1537d62800d2cba94e14ced5665f5

  • SHA1

    02a4c88b2de8e63189b08950e4c9ba4a6f8b75b3

  • SHA256

    9a31ec079f9330ff7ddf0422629886da291a0eb802c11a33099e00a5766221b1

  • SHA512

    3f365007e6e73892140da601a659e2b42fa10daa60eb322bc972efab349bb0cdefd1b8c5134b62cf7546e25c0c3ee237e67ee71456d5dea4a5fb9ab3da7e60f3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSL:sxX7QnxrloE5dpUpvbQ

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
    "C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1884
    • C:\UserDotX9\devbodec.exe
      C:\UserDotX9\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1784

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDotX9\devbodec.exe

          Filesize

          9KB

          MD5

          61b773990ee27e9e908970e63b267f79

          SHA1

          522f4b8bd8207fe759634142fdb72607b71380f4

          SHA256

          8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d

          SHA512

          6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          510a365a67291b85e3824c8e62fa574d

          SHA1

          f20ecda34a2d51b223546c34359c018e6e613c20

          SHA256

          bdd57dda22fe7bf16673edb5f820aecf97656b748295cc587d43d2d5307b8304

          SHA512

          ae5ef1fc4a5725e2e265a81bc9d57e0b41ab0654907a386ec2a32f799dabbf32d97ef6baad2f66388cebcb503b2f6acc3c6408c97a66336fcfa63c92048a697e

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          88a6a9490ab7d86262f37870f627f1e0

          SHA1

          02cb4617a8dbee4162c1bfb07830a383e4e80c8c

          SHA256

          a642addacd2b647a2917efc2b9fdae4c2ba93a619b5ab4c0d67fb9b82978c8aa

          SHA512

          44e6d336e6fc98edc50e1d73a073473a29a57944f331b3b7242f655cb6adc0dd77529097972e1b2706242a6fcd7ebf0991e0192ea692dad595b1536f775facca

        • C:\VidND\bodasys.exe

          Filesize

          2.6MB

          MD5

          66d955acf067bad35225231bcdcbe0a5

          SHA1

          64807b0b5af24aff572878ae94902c1c37a1e3bb

          SHA256

          7263360a18c6bbe64ee48ed0413d9cecb1f859ab68a414e37284fb3bbe44c575

          SHA512

          7e89b2371d637a68e27b182b8dc501c580a6f9de8ea6e92ce157d7dbcf53f5aeb57f8531ab34f336ee9ce59fe0e1ec4552c683b0861d4026855d98dea65cdd92

        • C:\VidND\bodasys.exe

          Filesize

          2.6MB

          MD5

          cbafd637d7eae1157846863c8a8c4067

          SHA1

          4e2a030cd1e33f32c8a06abcaf0567562e778268

          SHA256

          ef70d114bbf565fac16330699adb55e1c36fc7f8f6c178e02cc968545d0051a1

          SHA512

          3a772bea948e46c94704ec708f878f73b4d1664ebd44e7e6b065d5158ce6a7fe53d86992a4da2ad3e65e2ae88a950f02ee8afccbc8d748846f58dd27e7d8fab1

        • \UserDotX9\devbodec.exe

          Filesize

          2.6MB

          MD5

          69fae0f5168b279dc99e205aa07bd1b9

          SHA1

          4499b872ad386ab003b60e24b0cc54c359a9f8bd

          SHA256

          937aafa864a142dba445da0ba21a8f3bc451c002c4a73a8b0f55a3f860869475

          SHA512

          487474095b87b7d29095dd94ff2916191f71ecde5d6040fa800f30df2959c182792e405ad5f9ab964b80886a2356e8d0c74c6a9e602aaa9e86a43508eca47f33

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

          Filesize

          2.6MB

          MD5

          31b2239cd3e253bf9a0222c258d7a15d

          SHA1

          a5d718b31fe4dd5e1258e7e4257f61a3149d7f3b

          SHA256

          640ab584e19287e8722e6fc446c99fc9df61bbcb41f56d26b8b73c50b8f146a2

          SHA512

          20505087879a8a4c6837365ad4cf00f5a6dfad6db3ca4b42ccd0f0adfeb385749fe9547dd20ad1c62a5ce730923816569fa9515b4d39164bbeee51bd4a8650d2