Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:09

General

  • Target

    e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe

  • Size

    2.6MB

  • MD5

    8783f6824ec21bbc49a9b9081cbae892

  • SHA1

    85a63c5c1c7a7a14a8c8a090e1e648b1eb770433

  • SHA256

    e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499

  • SHA512

    e59e0b90b56a77f9c206059baebb95ac9cd7eda3c9516fa72b093eb225039604d1c2c998f246e98c7560e8ad25b7506e8b975ca27145435cb4afe2c396d494bc

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSy:sxX7QnxrloE5dpUpvbt

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
    "C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2524
    • C:\UserDotYY\devdobloc.exe
      C:\UserDotYY\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintG6\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    d073526555fc343042200ec442ae4b50

    SHA1

    798bdebc02614ba49e9f735feb2779b195db043f

    SHA256

    924b00269737567250da884aad697302dcf6c51bdbb7408759e7b476b20ee1a0

    SHA512

    1dbeef5a673f34363f24e2b08172cdd807674843509456ea740de5b9f31ed3ffdcfab796bc6dfbb6718b8ba9e505e8d01d3d9fe30c418cd6bb57e800aca4a80c

  • C:\MintG6\dobdevloc.exe

    Filesize

    6KB

    MD5

    eca5ea25f6a32a95c09d2d11f140c43b

    SHA1

    fc7c4ffc46b345747cc079073a62c80c129f2442

    SHA256

    7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

    SHA512

    27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

  • C:\UserDotYY\devdobloc.exe

    Filesize

    2.6MB

    MD5

    d89c526b4dc4d164f53bd773ba009719

    SHA1

    968593667fc3a788eec54d65f4e5d7923a69f85f

    SHA256

    29b544bc3111379791cf0f4b5b6b76c96efe2f46c92e4869addd559c04405be6

    SHA512

    70f6f9edff438b7a0a456a6c2955a8c9338b26d9100f7fe9877f0209fbb5ca2d8025954ceb6067efacf4dbbd40decdd75482c46b1c1d73f7e9718c9f81d4918f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    a7af81c20cb6dfc1dc359a0254481e4a

    SHA1

    42ee04dbe4a724959f3bd69e9accee067f01603b

    SHA256

    ae37b33824605125f038774b1ea27af9be33c28e118187e9efa3abe68f998c62

    SHA512

    16b8d13c51088b0ef97a7a387adfb242bdf2a3ed4e8e9755cf81ecae5bf5bf59902500d9a342ac206b7de43486ba68a4fba554667ee8b6841769674044bf140e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    419ca0b481a284c850d01f46dc93ebe0

    SHA1

    c5ee9ba4e5bedab1ef19433b806da71cd693110b

    SHA256

    37d6f4972e355e1891eb10b8e8da4f1399b7c14beb63ed43ef4295fd967dc8aa

    SHA512

    703ce544d73b1d141585cdaa6e7a0093abe7220a31eb77dc48b8fec79843dacd80e280b2d5cd1e9ed4c2b769d257692ba6117582c44db0ea34eab6b262add9c3

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    0d58208ef1afaff6539c942e568065ea

    SHA1

    cf7894489ee188e4d540ccf18b73b20cb001d023

    SHA256

    d8385d0294f6c3ba43eb70245bb6236699e3c054bd7bf34bb9f422fb32f62af8

    SHA512

    d7e2a3c9c14dc44e61b6d1827526c61e3f4491f8aed00d6feb6101225d2d5b2a11ba6980d8554aa0f5d8a7d3fe3a024ae6208fe3092b74e3391845b1577a8dca