Overview

overview

7

Static

static

3

383861ea4d...99.exe

windows7-x64

7

383861ea4d...99.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    383861ea4ddcdd44f3bd88a54bac775c8fb93b8ab4b769fd439314c3661df299.exe

  • Size

    4.1MB

  • MD5

    097aff1595dcd066af8ab4fc543ff2d4

  • SHA1

    dbbdd0fc0fa5458279b88e7fa760053f591e8ccb

  • SHA256

    383861ea4ddcdd44f3bd88a54bac775c8fb93b8ab4b769fd439314c3661df299

  • SHA512

    fabe8d4c7410edf25b07dce5c4f24ff67697d36ba6f9d9e11757bfc662e86a46396c739554afc4af0859030749a2f96e1da07e1d38eeea6d667014d0a8c0f64f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpYbVz8eLFcz

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\383861ea4ddcdd44f3bd88a54bac775c8fb93b8ab4b769fd439314c3661df299.exe
    "C:\Users\Admin\AppData\Local\Temp\383861ea4ddcdd44f3bd88a54bac775c8fb93b8ab4b769fd439314c3661df299.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1652
    • C:\FilesVA\devbodloc.exe
      C:\FilesVA\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2060
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\FilesVA\devbodloc.exe
      Filesize

      4.1MB

      MD5

      312c2e3cfb51914ad738d29dcbae665b

      SHA1

      343e91c8a0c6aa9bb57ca3d43a17e7063c2e4e31

      SHA256

      9d064c42ee678fbf4f7ed8ccfb4f668e4c150ab53a8eaee36af6da5f1fc81861

      SHA512

      94322de6c64464708aabd1d98038ffa78925f0662b6b3e213eabec73b7a423f1bb9be8e7f87ff88fbd875e295410d5228cad63aae1a18177ba9290961a351a37

      Download Submit

    • C:\Users\Admin\253086396416_10.0_Admin.ini
      Filesize

      201B

      MD5

      60a7495c4ef448891e3a3262924f2caf

      SHA1

      f15f1ddb6313b239a46581decdd5bae845e83450

      SHA256

      3202f6d8f33ca40c3fc4eeadef1e5b6dce0a6761de5c066be09747ec59a34250

      SHA512

      0ecea3d360ea1bc1a596523d4a44d73b80546d7cf09a626b4893fffeab69ca62b5e087489195634f1ace16e1fa6a86397f17826a6569768f26e95dee99b46d90

      Download Submit

    • C:\Users\Admin\253086396416_10.0_Admin.ini
      Filesize

      169B

      MD5

      71401b6db4c87154c31c66210d3fa3b1

      SHA1

      6824ac2273f43e721f64caa68785a072860d17b0

      SHA256

      e651bf4a6c1392df1c4136de83bf022237f629303cf3f816da384d1e0c88fa79

      SHA512

      7744e062084d8a8a2756edce45fdf345e1c58aa4c82426511e07f1a93105a2fd5521c5354e8560f82cd7cf50b168dd58cadb4941107095386f97c23ac11e5117

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      Filesize

      4.1MB

      MD5

      5003925d0a05b7e3b2bd5dbe69064dc3

      SHA1

      0e7ceb545b54a4b130b87a30969cb6ed7c7f5327

      SHA256

      b6e1655204eccc4e00f1fd96e9124ae396d019aa89bbf7a1b3f4ca348f84e80d

      SHA512

      7a7c1eb60acde411e1ae7ead5e0821c4e7b4e99e1b91feaaeefcff8c497f8b635adc84469a221eac1903171e8f0238f704cc0b6b9d8f2eb34b8f4562bf326394

      Download Submit

    • C:\Vid6Q\bodxloc.exe
      Filesize

      3.6MB

      MD5

      c7a017f8e9177ca374fbfc1ca0a7f061

      SHA1

      fd882760e597bb05ed51405efdb74c263bdbe9a8

      SHA256

      6efdd7059e9f6da1584754cb416df8768c0e863e904f542a723c33936d66b0ad

      SHA512

      a188954ae24313a66937e0b8cbb13c4630de3ac2c7273da77e9a8c40e604968ac0d14b9b1ac19bb63b538503240792931ea59fd87826c5f9bfa3ae5afffd1aa4

      Download Submit

    • C:\Vid6Q\bodxloc.exe
      Filesize

      4.1MB

      MD5

      6ee612e0c3ff9d5fb4c7232894e74fc4

      SHA1

      d49d704bcaf4509e7121eb0774145e71dcd6faf3

      SHA256

      95bad1c78076ac3f48736952cdfefb354c7e66d94c703dc223ca592267eab08d

      SHA512

      1f966853432ed097c21a9ba1dfc01703196f786d7ec6763ffa88ccacf3fa6c2990d7b169739c9adda99c66d4bb5b99ac7a34eb97d5f97b9508643acbf4c482ab

      Download Submit