Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:38

General

  • Target

    aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe

  • Size

    2.6MB

  • MD5

    c7e50d61c00eb75bba1d48ee02bef93a

  • SHA1

    e0157de06f8dbeac93620ef7eaa32b5ce9f41339

  • SHA256

    aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde

  • SHA512

    46b57b94d31730ef3d11c4a22cbeb92888a349f50cd439d3b378959ff64438480d1d7ea145c2dca972629df5502109f81ecf2ebdd6ba26f3be1dfab2a5bcdb5b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqI:sxX7QnxrloE5dpUpobVI

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
    "C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2364
    • C:\Files9A\xbodloc.exe
      C:\Files9A\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2700

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files9A\xbodloc.exe

          Filesize

          2.6MB

          MD5

          ab40f8f2e62200bb1ee9dee46be5a572

          SHA1

          c3bf48527f2c3ae74d72236dd6067d0957f6ccc8

          SHA256

          ac0bccea708a01c39038314e81ad131bcb1f6d07d1e955afb7faa35de5fa39dd

          SHA512

          bba359ab38212c54e397bb74abcf0a03fbf5eb9fcb6d1296ba22d4a6fabe60dfc82db04750122382fd9f9f0d851716d42fbe3adaf0d30be1a1f586fb2b30ab20

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          60151bbe6453256c273a81b6ba25146a

          SHA1

          46e5f038c3e30ca153cebc9e53a680e44faba881

          SHA256

          7db7bc0c7179b17a9799eb73b9fc7da340b6da90b04a76614d149dbd1f7beea6

          SHA512

          ab055009c3ec3ba7dcaf6b97b189a593ca7d9441a7f83279726f241b7f54a4a0499c337f5be476e4bb293ea44364e58b6b451e8692cc31f7cc4bc288b312623d

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          478a7bc2b9f9478fb3850f7d8e89c557

          SHA1

          b4360a28f1b6def3490fd4ca6c0e5b3e74e679a0

          SHA256

          3d153829e970f9e58d3c73428552a0d5c3e2968500e7c42a892b8085963cc2c2

          SHA512

          63c11c270fa1e36611ed874be000d791e4ac40322e463ef2e579541e462def2f01f802dc2127ce92c027fac2e49bfad24825b9f33e747545f11a69d47d8783e9

        • C:\VidY9\boddevsys.exe

          Filesize

          2.6MB

          MD5

          55e522d0df04f016d41eb9c70fba2229

          SHA1

          7779ed5d0ede5f8ff781d7ab77b93d32215ed099

          SHA256

          a514983d65c0a79dce30255d214f1737874922956cb46cfb25f60421910b8758

          SHA512

          c08db5cfcc9cdee57c224217644cd7dd2d54e262e1010e76f799dcd5972d839729ef9ee0ebb117d1ca7beed0f783fcf386d6054aad5b029073ee2191f5e0a809

        • C:\VidY9\boddevsys.exe

          Filesize

          2.6MB

          MD5

          d95f209c6ed6c820112bee01886eebc9

          SHA1

          459e56c005f66cd9cc9923a66109d7b9330d8ad1

          SHA256

          0f0fc81d47826f86350624cad74595c681237b96988d7b25034b357c778ed8ae

          SHA512

          2b8902a2ddb15f77d6d3891e495c431214eae96e136af9e947defbdadd30acd394fac7f8152926c958681e402e0459df6d76bdc1b30f6a771065a3fda0f7be36

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

          Filesize

          2.6MB

          MD5

          6b92cb0243a50aa83c7a656d1b89b31d

          SHA1

          086750dd9b8c8dfe45e0d6249a9f460cf6168def

          SHA256

          44fda56c86395f9b42493e2244cc36137a421cc0757db3de69ad6a61dbaa67ce

          SHA512

          1751f2f1c404b0e83cde9176549fb1c0ef066ceadad3840d892283cafce2f198a44510bd52295799a83f2b42d31e274aee4de0ecb7b4c11f90a45a57b8dfc2c6