Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:23

General

  • Target

    6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe

  • Size

    2.6MB

  • MD5

    68f5422c68bc653dcb3fefafff35e6f0

  • SHA1

    4832c9ee6f9a496ca1f276cb8ad2d43859b29590

  • SHA256

    6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08

  • SHA512

    2c716aa216ad59dc720523fb2cb3476be208e9dc2a6f0be523084d929c0e39517470089236e6be060b500404cc091a8aa8c5efd0e72d2cc5ebba2af579fd95ab

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSq:sxX7QnxrloE5dpUppbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
    "C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3548
    • C:\UserDot9P\devbodsys.exe
      C:\UserDot9P\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4740

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBKC\optiaec.exe

          Filesize

          333KB

          MD5

          c21e61e7f02dc9e34e0fed9557148c07

          SHA1

          6a781cfd919cacace205f8f49d07e9bf7f850d74

          SHA256

          cd189de8e1ddbb4d87804b62ad04cc11f67bd5f5bf694ee5a2fc6c7fe22adce9

          SHA512

          10f1e05bffa92c05b89ba7485fca21aec32015f0457675bfab504a77a4255d24e8bfcb9f0446f81000883f8a8ee8d8b9aa8e3fc7449d1855c53628a1f0740edc

        • C:\KaVBKC\optiaec.exe

          Filesize

          2.6MB

          MD5

          962ade4564e516f5bd4a187a1ed68b5c

          SHA1

          8450f86fbb101930afd30538c94d9eb4537a5a3b

          SHA256

          5089611612ab52e3fb06e094d9ee21d8e0759e72af357ae288e9a70d8ad2b33f

          SHA512

          ee9d5e5ea720bdab8fbee53243d957f475f00202880b22014c5905c584f51ae26f676d5810cb89570cbc45dd4eeae3d32fd99d569713c394db2fc869b4b203a3

        • C:\UserDot9P\devbodsys.exe

          Filesize

          2.6MB

          MD5

          efbe368a855747c59aacbe5016e9877a

          SHA1

          a6f12719f2945f1ad3f0c7051469d156fbbbd828

          SHA256

          e353872049e72a893f7708f705c94024e42eb6ace0723885f06eeab4c8a76999

          SHA512

          864137138eb2444d19c9d6841e1d61ccabd7c363443d8e224843ff6342353a5b791bf87010014ec368792eeb31295a73a0a0e3de4ae540068eee4c422cb696e3

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          1c33f30df72f7657384b11cbeafe3d89

          SHA1

          6aea8a8e4401a7b727cc2a539462f9ae64f689ac

          SHA256

          86607bbfd21728e30f4c60724b5efd485fc1ebeb6a71a9f20dd2ef99f55bef6a

          SHA512

          8f124f26df50420408896e8fa8f84b7b919ad3ff175f32c456ba3f527cfa528705e4fb8ecd4bcdc219978d830181c2d515da0e8a1d6ce3b3a727a1de0795b127

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          6ca4c129eea65bb7588a6b09812b8014

          SHA1

          fe758ce26416456942572ffe01865379b8e654b6

          SHA256

          6a5ae70509c2707bba8b6e79a923a486cbbba302b9856a2ebef2dac6831ae015

          SHA512

          351c9c542a56db4a6e938854843b11f55756e5817078738034c910a308b72fac23247172048fe6980c75d19f7174509b87cf592c9dab6a3a2aa9acdae5d784e1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

          Filesize

          2.6MB

          MD5

          80a224f073b93411a98578784e34ec88

          SHA1

          2b69b5b26b76de13eda0892043b1c2675c63ee24

          SHA256

          9900959f4447efd2229c842d0ed6a645197f3e9be28d316a80b3a39587fcb320

          SHA512

          dbdabf277cf6d09be75c2203068d0b8c1d0c862116d5d44d1b3ac054831c07b2e099681e186f5ef03fc26d9a6f3d6e4d2fad29d234134080c226cf47548f4fac