Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:29

General

  • Target

    acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe

  • Size

    2.6MB

  • MD5

    6c649a12d61a5f3889c77d89f4aa7976

  • SHA1

    7dff6159d926f37bd63ff8628c26e682bfef485f

  • SHA256

    acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699

  • SHA512

    2de6e0dd6219de9ddcdb94ec539519aac987298784f49ab958bc1119ed91f4cef3e23c49ba911335d3a794f44391ed382cbd14dc19148465a976a0236e31db40

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqt:sxX7QnxrloE5dpUpebVt

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
    "C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2056
    • C:\IntelprocPY\devdobsys.exe
      C:\IntelprocPY\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocPY\devdobsys.exe

    Filesize

    2.6MB

    MD5

    f9a4288fd482fb077412b3534d46fa7a

    SHA1

    733b4a3f9b4ab3efdfd6040fe01a66b3d3beda7e

    SHA256

    bc3ce9900a875cdd4887aa518e5c37ef3413f7262facd6557223290194f01ff5

    SHA512

    b6b2f2059e88f14bb5dd8bc841b7a2147813abfe44435b2f6a129a4ed7766b362634334c11b7b728768f0236e8ba5623ae475d3691ac8812e49d9af34617706d

  • C:\KaVBBM\boddevsys.exe

    Filesize

    2.6MB

    MD5

    882fbe35b80e55ea56238f8bf34ef21e

    SHA1

    96190792374fc976b2cc7a32ef9283901b0d365a

    SHA256

    d267027755dbfe289030b58ff850e6670de8934bebd6ad325468a05f80326746

    SHA512

    43dc916f41494d9f101ffe8b4f8e1e0db02b794730a047dd5a0f7534efba800814694549a4d02ec03cc3655cdc33556a353ea3e622ed73660befe2f9c9f368c5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    072bb19ae9212a926c42cf0de529f0f7

    SHA1

    5f93461997d3094f4207eb0227fb41d1f654e793

    SHA256

    a4cb861a4f407f2c3c27c5d5de5d9cf9f8b70ae33c684a6ca860f92840e07ce8

    SHA512

    3bea77ae2db85c9ae67dc42737c07c3b5a964c26f7de43aa3bf659d74a2b8965a88f957ba880e28a07e2196072c61c5536f567356daf4521005c3bbe1545f597

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    67d36e89de2dd323c91b113e2f962e4f

    SHA1

    b619cd837f9c06e517dddfc8a9962e19998fa2cd

    SHA256

    0a98b91a54540354ef5c8b03a8ec81764a9f936014728346c39e57f149681a25

    SHA512

    996bd897635c6e9a692f33183b304e7181a118b87fb0ae85e1d0e073df6f9c0cb0c597d07327faf4dba1ce308bbf62884cb938dc79d6ce172a67cfca32fb4f50

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    4ad3510a2d7a001f054951f118210e89

    SHA1

    7313c496f6b20c098ecfbef58580439aae9d18f4

    SHA256

    3df8c76a1d839427c2a69ee0d63a725d652ddaa98bd2ffedb8953bc667cb60bd

    SHA512

    60ea8a289c7dd7383b06bf4daa49163be6d42f1ed1261b4d9321eab615ad40349e0eb5e2699e09fcb452ee77c5e9824bd764ad5501cdace9f15222b3fde625c9