Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:05

General

  • Target

    db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe

  • Size

    2.6MB

  • MD5

    1804e3d044e72e1b2954bbc7c97cc510

  • SHA1

    9a0df2dae401ca018676a81265780def3eebca20

  • SHA256

    db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9f

  • SHA512

    de1065df57fc1cccdc4baf44a56e312ee9c3c0c7e1d8e543e21cb3292eaabdbe1591f17b608559231c089f64380c19386ae2cfbab765d7d93aefcba02d2d74f4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpCb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe
    "C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3012
    • C:\IntelprocF7\devbodloc.exe
      C:\IntelprocF7\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocF7\devbodloc.exe

    Filesize

    2.6MB

    MD5

    c7cae401176155dccd042a571fac8818

    SHA1

    b9fd9b8a5e880cea58579f813a3e1b8c37ce9513

    SHA256

    7581b006e2e9b799484788103d9fd3414daede52d3b435ce5babbcc6afffbb5c

    SHA512

    8e6e43e9fdfe7d3f93595b045dccdbdc8248397aa7c9da35e541a9c8a1d2e8f7c64c70bd7f8f6a7b6d4e13b9877cab2f2f2fe319e62530d6f19711cb6e06f61f

  • C:\MintHI\boddevsys.exe

    Filesize

    2.6MB

    MD5

    2719ca20d9509d01814a22f1d4743f14

    SHA1

    3e5655ee0bf7456279f9e692a6b322ad321f6c74

    SHA256

    a4c250d44d43362adb143f36715f8bf3951ce1d6d442a28a59fde12681eab781

    SHA512

    b41fb92f64b109cf96072182f288f4433e80f0c5971e857ade54b74f8fea4dca563e5ac87efc57403041c53765cf215eed3c43dd797d32050067f323a5dc1595

  • C:\MintHI\boddevsys.exe

    Filesize

    2.6MB

    MD5

    f3a24a59afbe17d52edf76a85a5c9572

    SHA1

    5c06d06703f5ebbd68a2f69d9fea9c68ed686f36

    SHA256

    b301bf2fc5c221bcacd828849e3f7b5fecb1a36aac39942d9fe226c86f5e22de

    SHA512

    2d9865c67ed25fbe722aeaf710a291126bad9d2fd413bc7cbb34733a80f989524262e19b0d8b5b408b3ca90e1e52ef1b074b4cfe0dff86f9be4f005209b76a10

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    1dc7aa5ea432558316d16dc625b9212c

    SHA1

    42aa895bc586cdaa3d6ec9d71a87de8339a70eba

    SHA256

    b3723f2ac97d969788fc6631878d736a7274815de9bd588c798fb2fa02ebc3ed

    SHA512

    5ee3714df7c60fc6ff510fb014b5580ad06bbb6fe74867a37786fae92c395939e96ca50638495d58b76bbac645afe9680dd1ad7d74ac4b29e154b766683b5e7a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    fda0b68d30890faa25943cf7e033e08d

    SHA1

    ec8bae9e166ee1492b9e990c320ab2a2855ce427

    SHA256

    734c45571116cdaaa94af27cc6ddb50b1871f332eaaf3b89424afcdd8a213974

    SHA512

    a5121007f68a69eacd77f4c2d7fa6e2c0f841d63b3e6a3a7510075c17e7bf054fdac3dca255091dab90c756b0741f7bb9ce282cc26cde717b11ca9e3c5e9c9d8

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.6MB

    MD5

    f3b2b395ada98d83990d0b8c1c6a86a4

    SHA1

    4f70ce1778f519dbbd3ac337b000d1fea389f3b3

    SHA256

    299f0e3e8027adf2e34c1937b2b87c30c19b0ba3780f049ad84f4e79c1aaad14

    SHA512

    51f2c05a1108aa4986bdf5938bd2d6c02e0e993afcd07f224af0fa17f5b50c993f5ae123e8bedfdc164c14e06f9310f3a8400e1b28cc5ba291f7726c5be987b6