Analysis

  • max time kernel
    119s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:33

General

  • Target

    e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe

  • Size

    2.6MB

  • MD5

    d2808e3373c56fd1aabd501b37bc4fd9

  • SHA1

    5a4486f26e2c3bc11f9f7ec9e8a7e48adb94f354

  • SHA256

    e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e

  • SHA512

    db891ab58cf24b596c68260c65b72b57a54122a0cd00dba892be7b30aab550c3531837486738cf0874dc2408951bf91daeb257556c87a4c4face7c83035177e2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSS:sxX7QnxrloE5dpUp0bF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
    "C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:720
    • C:\Intelproc5I\devbodloc.exe
      C:\Intelproc5I\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1288

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc5I\devbodloc.exe

          Filesize

          2.6MB

          MD5

          c016eacd9f7efcc81cc2e06fdd68832e

          SHA1

          4b7bb6a1abd2e5feef71e2f826edcadd0038a216

          SHA256

          b2359177b7252f962a1d6bd661698650993336671be4e388fbe98d085198772f

          SHA512

          08096d6d24ce0a1bc78521b99e303acd041c02fc1acb713568c4c709f152bfc02db50c00e905b8685164d5cabf0ed62e220703533ac24681ac9b10fdcb741903

        • C:\LabZHL\boddevloc.exe

          Filesize

          2.6MB

          MD5

          81ebde19c896359c206e126fa279a668

          SHA1

          ec28525745c60b4ea0f17b8833b4117661363384

          SHA256

          7160fcaf6cc49f2381c3ca8353d227b30af7301c7a1fba12439e00f79c00f793

          SHA512

          cb77635ca197e10f309253a787411a293a8d990cd1a151981c1cd7417c425f84e4c953c68fcfcf619de3b1dd108a9aaea04d62197309681b1a6b9571b1117d83

        • C:\LabZHL\boddevloc.exe

          Filesize

          1.6MB

          MD5

          f5699417138f0bbbc205c2393ec6f821

          SHA1

          1e9d3e24ffd8de764c2ba9bd32921ebbe49976e4

          SHA256

          436c233dec54df9067c1273e2e801421d82274aad95a1e8f630d044c4b067826

          SHA512

          0db53eda99c647aa262927be74e93cdbeefe56fae4d48a5ccdf6d4d154a16deeb107d5cbdbc5b1f446f66d40ea96deabfb6de691453b4fb1c97991dbc043622e

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          210B

          MD5

          562627ca62c84233c97f80c678134eb7

          SHA1

          78ff0b5ed59955353a695df9f52c8f9723f0de58

          SHA256

          2864e6d5dc2039dc8918ae4eb27bcb6b10c426f62b65c7113de9bd9ce9252d28

          SHA512

          bc5e4153845dc7f2131168d9554375fcdd7df274ce49e88d17e1bae5129638d815d94d437fd620f6abd66bda93c2b8ddc002c2d6e7f89f677e7ef6cba6a6d904

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          178B

          MD5

          6688fa3c248d848db48bb84557f1900c

          SHA1

          bb5c70b6ccec7f9e955cf868403e3e0e18920432

          SHA256

          8933f2ee439a1cb502f164d766f4c8b305aaee57b41bfb7010824d22c02c6e36

          SHA512

          30451cf231022fef85a51ca10ff3dd8f5c706bb341c406fd1421d756e4aa65dcbca3abf5415593fab78d47341193ec1344268fb28391581f43242befffbdead8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          a9e1c415712e45052d07331c420e0f6d

          SHA1

          efe992394fc9e7e683b78b365cd564434286c691

          SHA256

          0cb33540da0bb3c25fa40ce058d82ed1a2cf1b9d664ad7bc5d3d24f653f6ab93

          SHA512

          3b03bb1d43eee0e8534c580a9a89a79a4451f99c23f9237a028855cd68a4b0df24dfd910e98b93fa521b58a8d977ee24fdadcf1ef3b507b760946c7a154731dd