Analysis

  • max time kernel
    148s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:14

General

  • Target

    1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe

  • Size

    2.6MB

  • MD5

    3687d89eb5cf92fa06799e60e0b0de6d

  • SHA1

    3d2bc532692db63efa83f0b1a298bee8b457d47f

  • SHA256

    1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9

  • SHA512

    0492deb447e001abb58eaedc40f5b0c1b23b01c8b8c68ed9bd46f3f74b36830e2e4e4eb66e55c32f3b5ef1b19ab9012aaca9197c01c02816754e029e028c9606

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe
    "C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2396
    • C:\IntelprocZQ\devoptiec.exe
      C:\IntelprocZQ\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocZQ\devoptiec.exe

    Filesize

    2.6MB

    MD5

    8bf8c8e540374475e3ff732ac8c095d8

    SHA1

    497718bc3776a43b81ef22f656e6928d3081fd79

    SHA256

    60883b09d984cda9ec2e80cdadada4a829666cf07615e7ecbc5bdbbf36792157

    SHA512

    4602f1cf357f57aaf37a80612795fabe2dc4a922da94f4d940a69a75bdfb95c3e461071bfeef295dffa141162338b4764676b49e111b99e566cd6404bfafa705

  • C:\KaVB1W\optixec.exe

    Filesize

    2.6MB

    MD5

    ef3754dfd01bf4b955e522320016c6a8

    SHA1

    e290267cdef42c5c4832cae29aa05aa971666ff9

    SHA256

    6a7da90c4051be1a50a8bfbf4e8076a06ff8441bce1668808e3ff9ff27ee77ed

    SHA512

    22a75ad862f9f7e65a8cc1902ba4e0d54cdfaeed7e6c2df6831bea889150da7baef20d93a374679f7bb1eeefaa8fbd7577434e2d39d2e3137508ec8582153571

  • C:\KaVB1W\optixec.exe

    Filesize

    2.6MB

    MD5

    9519395de39a83a57618c8c2b18cebad

    SHA1

    34f4e343110ea87ec435ccf0bfb328463c60f45e

    SHA256

    831a040de2183f32157a7427ac44cd46a14c4ca577e8d2d3b79aae2f439bbeee

    SHA512

    a2e6721a3881ccffde870a98b6ad0fb09f4f23ef4516387ce4febcf9133be49aa45fa7c4f0bc7329c71db752cb7e49c079f86b025b7666a288fa6ed26efc032c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    f710e34dd97758bbdce76a2b03d8b7a9

    SHA1

    e187da72496cdaa0fab77a8c740126043150d160

    SHA256

    fb99c6377723ece8e80323dd8c332cc9bd95f5fbcad79ff942f4d20ae6ff4ca1

    SHA512

    dccfb1407a92bb561b7e5b4629e79860cb3070a187d142352f60c3a16d2ffa9849c459746ecf8c4790fb51e4f29dd30143b20555defd81973d48fa9de38a9db0

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    8c0fda7c6deb4134d8a0f008f9c66d84

    SHA1

    29659b8d7e7b7f2e2442fd03b43889b7aef7acc1

    SHA256

    7adf01d23a38c06f39bb2ad590895afed4c7eef7484f8a22ec30bf96a20d861b

    SHA512

    8cd560c7871ff38cc2ef85aabad779d463d0a1fc6114ac47d7f97e6439cb50e181bc97514e02fdebeea3d33968ffee74c6643c14832d42a65022d6786a25e484

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    2.6MB

    MD5

    8f1e9de96c1219157e0431d9599ab12a

    SHA1

    481ebdae5a19af96444a87d74e6271cf59562e55

    SHA256

    892ff00d904d74e1ce6559490f13f96fa083d47ce4afbf53284280d8e8999aaa

    SHA512

    e293c839f348a86e0519fc5754392e09975c777b36faa91909ea21a0198dbc4e8cc27b4472fd820ed06257eb2a6f9b8bec4574080bc235ca708476c9195ab338