Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:56

General

  • Target

    9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe

  • Size

    2.6MB

  • MD5

    cbd5e96b9a7b33d1320493b1327e8110

  • SHA1

    7eb7af8cf902e4cf765f289327d60c7cb1be55fe

  • SHA256

    9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8

  • SHA512

    cc3de625dc8be39db4c62b36ce4ea4d7fb16b841a13b1bc5fe378e54b5a1074b2106f4f85d1db4fe44455f0721540d16b6ef509a5899d7dfd53d9a07db8d34dc

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSq:sxX7QnxrloE5dpUptbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe
    "C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2360
    • C:\Files3X\devdobloc.exe
      C:\Files3X\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files3X\devdobloc.exe

    Filesize

    183KB

    MD5

    2e225a2d8fbb510df0e9d10ed08a2948

    SHA1

    0b352fc966668cf0af9975bfe452bb2862402d3e

    SHA256

    5912d778da8b2fc811d020c96395df1ec95af34f0d3800d8e4524ac00f0e8345

    SHA512

    29b390a80b3b70e36a4034d1395811884a280b6bcab29a7079b926b64b45b36330959d09e74a27cf3cc8af4382b4930d81a7306fd2b3e4687026157a81d785ba

  • C:\Files3X\devdobloc.exe

    Filesize

    2.6MB

    MD5

    f6b59d19aa0cc1b02bb58fdcd8f35da0

    SHA1

    75bdc3e85eeebe5599339f6d233393e3ed6483bb

    SHA256

    3fdcab2c02242bddce8bed8e662742cf3539c05a2ef5d3df9f1ec067ce96af92

    SHA512

    a19af520c9d44d20a92a1d4cedeb0e323beff7b4a97f71dae0628a743e86be4eded4e933e78fa71552eec90bc04e447c2545dbfc31b726e911c30bd22425c513

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    553732abc93bee21a254326f8af6f514

    SHA1

    340daed6819acf752c6b4802499fe1fccc944d05

    SHA256

    912ffca1f4fc604b337d487ec66ef29e0ddfa11bc02365a87b71f6c8141885e4

    SHA512

    719d4d75272be1f402db8ca9e0542aa099593c18ed2e0c5429135f288039e70272707f2b40fbc8cf90b11a8cb46f417b0b7a7f749ac5af47053c767451a3ed3c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    fd18659289fa188a33b2c00821b73614

    SHA1

    ce425aae5ac7a10e9f967740ca4f5a4c8581786a

    SHA256

    fa7e0362559c7ac7e8f24df15b66714f46b0a0d6c6dc01bb7429b5926ccc5eb4

    SHA512

    51dfbeeac84cb591d38319266b1fd5d9bf6206d5e166bce1e22b3746c63ff570e3de7d7d58eb40c6fc6d5a36a8d4950787b03203668517a54252b7b6720b2fb3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    2.6MB

    MD5

    0c09ab6fb84a8a427f5f6dfd76291201

    SHA1

    555cc8e5edfc2b73b28edc83fed57f0cb5e714cf

    SHA256

    835a59d0dbef262051721a1e70ec343a8bcf8747ff7fbeb55c3b2d0f9fcbb2d7

    SHA512

    9cdfa66a13f2e6869638921357f6089f2048408eebe5fd446622c78b5a43c424285ec58014d9542086a7ce798e0a0c3b11561ee83a2d7889f5263555ec33d913

  • C:\VidEI\bodxsys.exe

    Filesize

    2.6MB

    MD5

    39357249f5df366bd27fe914673ad862

    SHA1

    be31c9d00df76115eabc3bee4dcfe80aa20526dc

    SHA256

    9cf0e114a36f299dd71c04ed93d7e17dafe457f9321c274e99eb1d225c9dcf3c

    SHA512

    360a66ba8c915a13d95d92a402c8e81e5023eff1e686c35919362c85813b71d94401dcbf0305663298b50a7714e90738f5c8127130b18dd176b4936813c192be

  • C:\VidEI\bodxsys.exe

    Filesize

    300KB

    MD5

    1177281cc37eac897548f09c5a2bb0be

    SHA1

    7fcbdfa586162ecf10a4e814cebde49a9e7c9ff2

    SHA256

    e0e8199ff31a78de783de78bcf4ae417736be14f8f3aed4edbd1b7408ff8e9cb

    SHA512

    5e4d15369b7aec23f96f22231c6ee0b91538eae06a29fa0055980dc85e8629ecc8e12f11fca65c6354421b31f098422dcc6de380edbbfb853a90ecfab155e1ad