Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
Resource
win10v2004-20241007-en
General
-
Target
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
-
Size
2.6MB
-
MD5
68f5422c68bc653dcb3fefafff35e6f0
-
SHA1
4832c9ee6f9a496ca1f276cb8ad2d43859b29590
-
SHA256
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08
-
SHA512
2c716aa216ad59dc720523fb2cb3476be208e9dc2a6f0be523084d929c0e39517470089236e6be060b500404cc091a8aa8c5efd0e72d2cc5ebba2af579fd95ab
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSq:sxX7QnxrloE5dpUppbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe -
Executes dropped EXE 2 IoCs
pid Process 3548 ecdevdob.exe 4740 devbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9P\\devbodsys.exe" 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKC\\optiaec.exe" 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe 3548 ecdevdob.exe 3548 ecdevdob.exe 4740 devbodsys.exe 4740 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4268 wrote to memory of 3548 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 87 PID 4268 wrote to memory of 3548 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 87 PID 4268 wrote to memory of 3548 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 87 PID 4268 wrote to memory of 4740 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 88 PID 4268 wrote to memory of 4740 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 88 PID 4268 wrote to memory of 4740 4268 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe"C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3548
-
-
C:\UserDot9P\devbodsys.exeC:\UserDot9P\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD5c21e61e7f02dc9e34e0fed9557148c07
SHA16a781cfd919cacace205f8f49d07e9bf7f850d74
SHA256cd189de8e1ddbb4d87804b62ad04cc11f67bd5f5bf694ee5a2fc6c7fe22adce9
SHA51210f1e05bffa92c05b89ba7485fca21aec32015f0457675bfab504a77a4255d24e8bfcb9f0446f81000883f8a8ee8d8b9aa8e3fc7449d1855c53628a1f0740edc
-
Filesize
2.6MB
MD5962ade4564e516f5bd4a187a1ed68b5c
SHA18450f86fbb101930afd30538c94d9eb4537a5a3b
SHA2565089611612ab52e3fb06e094d9ee21d8e0759e72af357ae288e9a70d8ad2b33f
SHA512ee9d5e5ea720bdab8fbee53243d957f475f00202880b22014c5905c584f51ae26f676d5810cb89570cbc45dd4eeae3d32fd99d569713c394db2fc869b4b203a3
-
Filesize
2.6MB
MD5efbe368a855747c59aacbe5016e9877a
SHA1a6f12719f2945f1ad3f0c7051469d156fbbbd828
SHA256e353872049e72a893f7708f705c94024e42eb6ace0723885f06eeab4c8a76999
SHA512864137138eb2444d19c9d6841e1d61ccabd7c363443d8e224843ff6342353a5b791bf87010014ec368792eeb31295a73a0a0e3de4ae540068eee4c422cb696e3
-
Filesize
205B
MD51c33f30df72f7657384b11cbeafe3d89
SHA16aea8a8e4401a7b727cc2a539462f9ae64f689ac
SHA25686607bbfd21728e30f4c60724b5efd485fc1ebeb6a71a9f20dd2ef99f55bef6a
SHA5128f124f26df50420408896e8fa8f84b7b919ad3ff175f32c456ba3f527cfa528705e4fb8ecd4bcdc219978d830181c2d515da0e8a1d6ce3b3a727a1de0795b127
-
Filesize
173B
MD56ca4c129eea65bb7588a6b09812b8014
SHA1fe758ce26416456942572ffe01865379b8e654b6
SHA2566a5ae70509c2707bba8b6e79a923a486cbbba302b9856a2ebef2dac6831ae015
SHA512351c9c542a56db4a6e938854843b11f55756e5817078738034c910a308b72fac23247172048fe6980c75d19f7174509b87cf592c9dab6a3a2aa9acdae5d784e1
-
Filesize
2.6MB
MD580a224f073b93411a98578784e34ec88
SHA12b69b5b26b76de13eda0892043b1c2675c63ee24
SHA2569900959f4447efd2229c842d0ed6a645197f3e9be28d316a80b3a39587fcb320
SHA512dbdabf277cf6d09be75c2203068d0b8c1d0c862116d5d44d1b3ac054831c07b2e099681e186f5ef03fc26d9a6f3d6e4d2fad29d234134080c226cf47548f4fac