Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:30

General

  • Target

    6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe

  • Size

    2.6MB

  • MD5

    49006d86c71d72775b4982251bb9fd40

  • SHA1

    5ae4cd5c68da2c9dfaf07047028d4dcaf92be31e

  • SHA256

    6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426d

  • SHA512

    c8bf3421783d051084a45372b322f40a74e8f185344b15e412c3f48d72a6a6fd3fab4829f0c1adee5fac32b9f425e8392ff507ee813cf63125d7975e2a2b2554

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe
    "C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2596
    • C:\AdobeV7\adobec.exe
      C:\AdobeV7\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2416

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeV7\adobec.exe

          Filesize

          2.6MB

          MD5

          5395b0685a74a8fb26cc4120beb6bb1f

          SHA1

          68b6d5c0a0d5177c711c4c0476b83f1e8f954c5c

          SHA256

          d5c064fb38e53667b5c4340081468694da2b9cf9e20f424c8250c20e85813241

          SHA512

          0bc58c4e6e719c838ff4d5111e7a5908b215fbe02aa832d7be93242c30f61b3537c0edeea4fafcc0dee995bf589dd45c3f8cef124012e655d0a6e68a23eb5a56

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          2f1124d4bbeb68704c772fffc8263e81

          SHA1

          6be17ce2a3095d5dacaca6ece20023dc4b112ef1

          SHA256

          e82ac0ef04d784c265ba81e1d7b365cb1eb31376116fc5a6eb820f59dc193344

          SHA512

          41d3f957742cf50fd75debf07b5191d1aec0319452ccb6708d4902c3943abed8a725589c66c94e2cb769c588d5dc022e683a46cb0cc7eae9da5ea9e385bf8771

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          7914b75ad252b2e12c67bc2a1c878f74

          SHA1

          bdadde5d31f86e0b40daf37a8f2a5c31d908ea49

          SHA256

          eaf95235fa38c61f024ef8d6e5a2b0b2de538afd021c41c81bee1614d3547413

          SHA512

          2cc888e9af75ecf1837c5f6a6339ce40a29fda736c35b3c541bbdd03b93b1e6322429e19584996ddcaad3eb141cda78f8823b0799a7a6330a8067a807a69a0ee

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

          Filesize

          2.6MB

          MD5

          795d1a8433846991e452732402f8694d

          SHA1

          c5baf8b53ab1bf0763f45a88364be4dc54ff241c

          SHA256

          7207856ed561c333c185a6552da9e8ec6da47bcee12bc91520e54060ef73de2a

          SHA512

          1c9d1eaa65eab9fd8eb4fdf42785a2a52ac4c8432d480c4471301ddbd10b62002fd2fb2cad9c277defd8e5d685ef6b5fc2e33ff78ca8b03a656937541e9ac748

        • C:\VidVK\boddevloc.exe

          Filesize

          2.6MB

          MD5

          499c99ea5e9fce55980f657559f1d7ee

          SHA1

          8e47d11db29fb413fbfddaabdc85fd33c24aea65

          SHA256

          40cad28a6037f880c48f4955a01bd9b40454764cc1f28df0ffa6ebabb0917604

          SHA512

          e1dd7e0f90f4e8a9a41ee732ab71461256de675a466a20d3f4e8853060005e382f3b4ee816e58e7e4ce37dd026e25a3fa13d0e51300a943bf948126046b712ae

        • C:\VidVK\boddevloc.exe

          Filesize

          9KB

          MD5

          16a4bb0fc3d5c44be3028068af1ea1ef

          SHA1

          3525da0805ed7773dfef437f24482b727389e9db

          SHA256

          cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d

          SHA512

          b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b