Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:43

General

  • Target

    254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe

  • Size

    2.6MB

  • MD5

    50131cfca770ed812e92c84b28025510

  • SHA1

    5faffb16ba57b2d99cd86f771a55c25a178138d1

  • SHA256

    254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9

  • SHA512

    8eaf537e83ab7f5e2cc2b29ee70a1e89fc1434a9891bfbfbf18012ba81dfdac607e2eba686c0eb08a222c37e8499a854716046baab8a8fff953eb6e8100cef65

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSq:sxX7QnxrloE5dpUpBbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe
    "C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4652
    • C:\SysDrv3G\devoptisys.exe
      C:\SysDrv3G\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrv3G\devoptisys.exe

    Filesize

    2.6MB

    MD5

    1b8d209a916e4df2fabae7e6b4223451

    SHA1

    6d758c0f47189b7d688f68541c37ff6fca29206b

    SHA256

    31ebae1d8b321f0ae14fe7992d34db5fe42bdcff10ac94c3839b9aac763ada33

    SHA512

    e0ad7920904f937435f7ab5591f8fbabffef62a9e8b01dff5c2176ca1b8d513b6c054e72b9807fb52f83331d4203d226f13b1fe046bc2517988207d96a70fee1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    c4792cf4c53acdcaa73b6ac606d92ade

    SHA1

    ec561364b2b1d4a897d73716037f10040969b0db

    SHA256

    18e2bd71f1147b028774719b10a0a8b6cdaf1140134beca8ee88dd1022a03d20

    SHA512

    602c36eab0b4bb650b76081343acfaddbff8cf63def9285c22c3e446e39320852b33b90f1967a53bd5678f25636b21f352c2cd37b08490b7f3a9cb88331e073e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    8bdf6ba25702a210b0b19a780077487a

    SHA1

    c78564a68da3ec3b4ea85435bbd897771691f5cf

    SHA256

    7d41e0c7b065a768070663c920f57850694ed5e5c30ee6359aa785ce0efe32bc

    SHA512

    b49183bc4ab81b5b4b0c56d70f2c71d7901b9d72593ec61a372db181fd47d4aa62f583f3233cc245d4f26d24a55a8f0a2fca8614ddaec13091cfa243523c143a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    2.6MB

    MD5

    8ea25827e6f6ba00f55fc145c35332bf

    SHA1

    c2e639323fa5e7f9b044d43e8e4b91cda4c9af9f

    SHA256

    eb6a33d33364fff6df9265287726eacd001211b6881fb5f951ab120db0eec391

    SHA512

    01c21d46f846d96d0f2dc13252c224d385ab9464319696b434d0e32e7fa8b830a87568a2d049cf44a5b0a5ce07211ca1c8d87bf2edd8147e611e0a929d760fd0

  • C:\VidES\dobxloc.exe

    Filesize

    14KB

    MD5

    9262cab29eba6c8ec58cf55dd510774f

    SHA1

    9c109088d1dc40745dede1654950cf3c14a07d0e

    SHA256

    e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945

    SHA512

    2241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004

  • C:\VidES\dobxloc.exe

    Filesize

    2.6MB

    MD5

    4dbea43aa7eddd1d9b9d39a8073e13ef

    SHA1

    a0e2a404da25eec1c2ea91bcdae2087a7f29755b

    SHA256

    0ce075e00ccef6294dddfed236962290424044a716afdc3741e495774d96d5e2

    SHA512

    6b3d2842a4e4433414e0aa91dadd58cf3ce95e3e21041d63c152a603c16fb1c7494c33a707e9091dfb349fdb8ec071ac1fc1f9e7cf20d901b81da49fbca825c3