Analysis

  • max time kernel
    118s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:38

General

  • Target

    aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe

  • Size

    2.6MB

  • MD5

    c7e50d61c00eb75bba1d48ee02bef93a

  • SHA1

    e0157de06f8dbeac93620ef7eaa32b5ce9f41339

  • SHA256

    aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde

  • SHA512

    46b57b94d31730ef3d11c4a22cbeb92888a349f50cd439d3b378959ff64438480d1d7ea145c2dca972629df5502109f81ecf2ebdd6ba26f3be1dfab2a5bcdb5b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqI:sxX7QnxrloE5dpUpobVI

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
    "C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5060
    • C:\FilesHR\xdobsys.exe
      C:\FilesHR\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2468

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesHR\xdobsys.exe

          Filesize

          1.8MB

          MD5

          2e14ee6125a70de2dd549e74db1c538b

          SHA1

          949385f95d76b6aaded14597aca8198551df421e

          SHA256

          2d956d7b32b40a78a73328d5f24467b3a671304e29b0246b9a20d970a2dca344

          SHA512

          a9417c15ababad2a3e9923faf3dee23b8d2000de14673314d208222a17fca29b885b60c379d7c112b31556d41ddff46a3498c51d8eec69b2129b531901f1a39a

        • C:\FilesHR\xdobsys.exe

          Filesize

          2.6MB

          MD5

          a8e491d29898b6887eb547e2f4589ec3

          SHA1

          c566090a876f4eb43734a22ea4777e8189032550

          SHA256

          20e1e105da99579bb5491ad3bf6927b1c826935608190f3e77c8f8849df3f490

          SHA512

          29b483bb12cfa967a8ae24a060cca001c0431858e39bfb8e8a683b158df4c4ef5c2b2738c0972279a2665cdcfa9f6b35b83db5bb7e8f689f19cb5ed0c58db0a9

        • C:\GalaxHY\bodaec.exe

          Filesize

          2.3MB

          MD5

          149fabe738efd2711485730b84d00f8a

          SHA1

          7c4493e04792d60e86d0d02b8de857c965e4dcd3

          SHA256

          de613eb2e3fc63775e89e155e2ea2c7ad1214010536fe775ab16cf727a7fa67b

          SHA512

          f3bc7ce3986cc6b100123815fdabd9c239f1510d34ce1b0c2222c86053acbb4140ec31408e03db236b60fff73dba3fd1037b80ac71b0183233b7d61a1ccb8520

        • C:\GalaxHY\bodaec.exe

          Filesize

          2.6MB

          MD5

          82034ff2935be1a2c76118def6115bbb

          SHA1

          8b1fd87223feebe5460cbdfe73de927238e9603f

          SHA256

          0d80432c3b077ccd5d7b4b3dde849c274b3d9d78e49a12a48c146eb212e07b90

          SHA512

          4aba53f010317b475d0e6e1cdf730e853b3182eef482c4e14e663dba5e75a7ef5e14625584a7cfd409494ee82a5e7f2b7e0fb996dfc0ac243b233a619a54515b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          6c71b80b467bb9ca2e0b4d3ed244c6f5

          SHA1

          acf646bbf6d366f83b44fe508d2524f3b0b46a18

          SHA256

          b04ce25c1714e1976a81cf62f29d766e35e1a3834607491eef5231a79ff44033

          SHA512

          0c2bb56fa4dd1e6c03196603f0d2996939495ae2e32d092b762be529b1567d617bc4e3a96ab134ceaaaddf0172aaa4571e4f487a8efee02d3748f1816d7e287e

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          7d14e312d954e286bd97e6cd17799e0e

          SHA1

          c7b0a9edaa094b9e62413e8ffd999edb4c9f8b39

          SHA256

          7bdfbab1a8e6dcee91d942e48c059d3b7567519b77bafae1921c205227120f0d

          SHA512

          d565661701570437ff150ce37367b43deb22bdfa73bd4b69f1e86b1c65fa89a57334ff8697cff021928d1eebd1398d5ddefa47ee7125a725b71a481a222f4e16

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

          Filesize

          2.6MB

          MD5

          dfcfadfb45708033bedc7d3eca206b80

          SHA1

          ad9d01fa0ef828e0f80b772cb962b0b4a3e49ad3

          SHA256

          dcdc488d74d7145fbfda97f5ce43d2e6806b1331bff4330271dfc4784ad2dcdb

          SHA512

          7e4bce8653bf50f15136a9ed9e9f5721776e9955547c99c7fcb0c39f49fb6edb8f448a440a8f9feacb3f47e617678fa8e7647b5b1184f791060393556ebde077