Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:34

General

  • Target

    7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe

  • Size

    2.6MB

  • MD5

    3fa5ecad405ce4b1ed6f6fbb4fcd1350

  • SHA1

    7dbf377d4e7a50197cebbe5a1b8f8d8eb77f31e9

  • SHA256

    7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098

  • SHA512

    a9cabf8b3751830cc894959bcb8bbf06deda309e0aabcd3b85de04afe8100afa500d1e6e22dcdbbf67692de30fff246c86c6f411d52a1850dd8cfa5e3ed127a5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSq:sxX7QnxrloE5dpUp2bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
    "C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2260
    • C:\Intelproc9F\adobloc.exe
      C:\Intelproc9F\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3060

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc9F\adobloc.exe

          Filesize

          2.6MB

          MD5

          fb702db1f93f18f3f868d49e519e4d16

          SHA1

          ef3c93e210e8c74c937da11755cbe276667655b0

          SHA256

          cce86bee7152a770f171c3753b52ea6e273730100bd5c032a7b479e2b575a99f

          SHA512

          04589e24768f33c132d0f9b86b6b3646d07d59fc2ffb78b9a4fdcba824329f769e124880d9461e52a04d829a81f0156f3a029f005f50df7cf97f2325669a3b60

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          3d12847dacefcce53dcac7d1348acd3a

          SHA1

          51b185ac0fce96138225762a37ed5e1a079f6079

          SHA256

          d3c285170f05ece82fd7f468fe0ab84e748157fff4d585df8e447acb1f41eb5c

          SHA512

          08d40f930c7403b91006232f97106daa939a12f67833d177068b76d7fcb53e53171e1a6d273a92bd3ca784d58ce094d304c859d2f7b4ce7e64929cee5f9ca50a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          4c1657d99fa370c250848f3191bb827a

          SHA1

          d0223d52f5cf12ce2ad81efb4f43f8efb2d32404

          SHA256

          c4e6f6d95af03567a3a023bee01b52b2247de737cc6768fbb25462058bd5b5c6

          SHA512

          94303e5fbd22a806ee161c96b4cce3d5603e8d0f2fbb223584a3a22b4b51d55ac66e13b58c1480d844d58b2ce2df6fc3c4160658519af1c9a08bb61c1ce3586d

        • C:\VidJB\bodasys.exe

          Filesize

          2.6MB

          MD5

          f6b60415fcb2a411d24a5696e80c5d74

          SHA1

          2c7825a4d2e6235f4fcfb5196f80235cf56b32a3

          SHA256

          1ff4f566f12e848fc49f9770b1acd6cc066b778ac720a0648d0c9199a4790621

          SHA512

          8195e8a86469d9cf3872151e4baeccfab7a39bc730fe074eeddf33afbe1da8d9a4ee267d6831daa828b6de1d183f526770f47a83787462225a5fea2e69ddf6f4

        • C:\VidJB\bodasys.exe

          Filesize

          2.6MB

          MD5

          e1de8b30297d5a3d1f7db8715ff53bce

          SHA1

          88d32c76dd4cc1fa65d86093caf7285abf5df9a8

          SHA256

          e2269e993847747d80d2fe7df02621c696dae5528200689c220bc58e1b39440b

          SHA512

          9857ef146fd40c866a005c8f0d4fe5907402b164a1e0520602a74de41808a6f600a86fb6ef4d04bf19d4df8e0506087cfc48a0e6913e2da902e6aa3e1d2c91ca

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

          Filesize

          2.6MB

          MD5

          ed8ebaf280635d5cc4b194b3465d252d

          SHA1

          bd63bd627dcb73a4b6e67e2cea27ce63f461b9b3

          SHA256

          3162862d447752b51a58c54affd46fe4a86adaa121d5e3fb66d0bf74112abaf7

          SHA512

          c1f064cb4921e91444ead25d79c51000eb71343e25c23139261e10d0d6c24554b1e2c6911a679fc278b76ef46b34c08307c953f140c7deb938ca6b4faa85d1db