Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:33

General

  • Target

    f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe

  • Size

    3.1MB

  • MD5

    1fc9c061cffa61d9910130b0704877bd

  • SHA1

    165432d7a40beff25264f2f8aa17ee71b4eea543

  • SHA256

    f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc

  • SHA512

    2d79cc1b349d864a949f12f981548f6fb962689ed0befa9b2d663e1d1f23caf22b2f2e64c9dbfa264bf627cc6483968e60e418db4c90de5adb6d9916660f575e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpIbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
    "C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4736
    • C:\FilesOU\abodsys.exe
      C:\FilesOU\abodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesOU\abodsys.exe

    Filesize

    3.1MB

    MD5

    a8b6d48fc722ddd617a46d366bc47b12

    SHA1

    7aa42f30b67bfc0bfc3029425037df54da3d719d

    SHA256

    14ea4779fb0bfea29b24dac1a88d2eea4f17bb3366cfb9d88b269f89ae5c600a

    SHA512

    1673d13ecc9a01215a5bec2e2d6870bc9d74b2c7ecd0a2baf468d59c49c29fc15e261dd6c551b2cd373837a83766930fdaeab241f72c0a78abbfa7ff88d74f0a

  • C:\LabZWO\optixloc.exe

    Filesize

    8KB

    MD5

    4f22d799849ad951d457b82eff37db75

    SHA1

    4e1063fe8d636bd72f9cd680c689c23c67188ea6

    SHA256

    6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948

    SHA512

    9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a

  • C:\LabZWO\optixloc.exe

    Filesize

    3.1MB

    MD5

    fa9d72384aac85b56fd506984fffa94c

    SHA1

    49dcbfbd5ec47a6c2b958f9ed1218162910753e5

    SHA256

    d57b67d65d2358e8c397dafcf32f67b15eb0979b7fc5c55085b5d9095cded2f7

    SHA512

    944347d008833196fcfbaccdd516ae115e4c31775e04b506a1497e1fb36272461f65ec21fd6f49f0459d9a1ca68d076378f6ad70fcd66af5cf33d9c215c56c28

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    a7f4aa5cbb20135a5fbce66126932d0c

    SHA1

    7bd8b9f703c20646f2a7e67c54bcd02e08e62547

    SHA256

    17f49d933dd5687ea837526b7dc309fae2d570acda24fbf5178133617539c401

    SHA512

    2e21f53b3e5efb8ee6023fc613e3309e9deadf9ebf928724ae4d3b072759da8ddf9fdda85f1e47d11e385186a8a801ac031a46f3dce6e6ff042b14d3841c46ac

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    35999cfb797e622f5862706569985839

    SHA1

    6ce2c0110f46c8518094a1f14ef580f2925ceb86

    SHA256

    4b78a4b4fa896eb1546e3255de0ecadbc4387e10bd6ef1dfbfb72a92df234f26

    SHA512

    126cb8536d521f94c321ae7a8494cbd08b0c08f9735a4aa9f31fac0417b74676ff413ffb11f7aae6d4e96445d6e05e0367e60ce33951a745c886b85815929ee5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    3.1MB

    MD5

    8158a12d0d852e060b4f60ba9bbd3a37

    SHA1

    e003535300e735a069753c2d84e7602393209eb9

    SHA256

    2caf5241cfceb9c2eda93b750c6212346d13e69229faed3c13c845fad5f9160a

    SHA512

    86e75146dfefe93a47d3fc2ea889fbc14db574e3f0355cc308cc860ad183d484433dac53d6f2615bbefcab889d19c8893db287d3fc64b839a6f4241bf122eb63