Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:41

General

  • Target

    f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe

  • Size

    3.9MB

  • MD5

    62de0e03112b50ef658e3d6477e0b2c3

  • SHA1

    e5e1ab14aee7bb6e30cd250378238a005ad863be

  • SHA256

    f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77

  • SHA512

    957377e00975945f8ba188ddd7580281d2678fe32f3170bed9ab6ea215b6fb738583bd67432cc6e34b0839e8d621611be52669630e1413ed626c7a814335884b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8:sxX7QnxrloE5dpUpLbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
    "C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4720
    • C:\FilesTN\devbodsys.exe
      C:\FilesTN\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesTN\devbodsys.exe

    Filesize

    3.9MB

    MD5

    7ad07bc927adf45eb9a085ac71ba0a26

    SHA1

    f720acef80dc31845d437e92edeb249acaa64cf5

    SHA256

    b501de7e316392673403336c1e41f245343fa4a16b48a710e8c70f37a71fcda4

    SHA512

    8bc2b66a0b198327a774bdbcb408f7c4381ea8abf4c8d96515920ca375ae565cc1687c883b17e3671e0076ec816d6354172377bd65067c926004dcbbfc8882f3

  • C:\MintUS\bodaloc.exe

    Filesize

    3.9MB

    MD5

    a2a762ee11d033f7e67f3d8b7195471e

    SHA1

    d9b7127b0bf3b3fe85b7d51032e4db03bfe3edc9

    SHA256

    c810082a2291330ad1cdb8ce535d7653e0e00afa386c716a329369ed26597345

    SHA512

    56c42fa915055977c7a1eb3c5d2c6cabd2230043bc769ecd1c94d0c3aca8ef0517163891824883df9538e9e4218753de85ee6eb0f339823e745ff74844a74221

  • C:\MintUS\bodaloc.exe

    Filesize

    3.9MB

    MD5

    436f3a07b2efda912f27ac86927d8ef7

    SHA1

    ae0a78759a3a9e78e855e4b63ccee06c473ff11e

    SHA256

    dc0e2f9f41b3a12b14a2140ce217017777dd7ca6fe929dc0328feaf28d5805d9

    SHA512

    712ba814d4039fa281115bd0ccfe6322e7eaf44fcb52f5a002832641c7148c39f3987050ef4bedaf6980c7c266a6ab908fec4604e002efdb50ec3f65001b912b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    bd32eef9f34e8a91a8a4dbc8c35a0f14

    SHA1

    f1a5d3ead5333d4758a776a59afcf6bc8d30cf7c

    SHA256

    49eb8d2ea2200ad22f4a2ff030cc54ff1d334b3d8306a6ac6786b549357e09af

    SHA512

    62378df8aac49a6d68b3662ad30451609b32e8d03e6d890b3678f5b45e244a797144ca208155c0184baee348763a28323f17bea6d9fe93bc6e192b376fa15d66

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    7f97956a9cf59eaa85f3809583d54674

    SHA1

    f4e49d9c94294210c11c486716d5e03185ab5a0a

    SHA256

    368a8f45bc294c72c038a857a93d2621c759e0f00041197bc9398d3d9ec1908b

    SHA512

    bd26fd021e542b41794f02042a3858add217a853ce092791ab32576d99d84664a66252d60078781402ece7aea83be16b813184950a09e17443699c0d3b383dd3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    3.9MB

    MD5

    ee33273067b8b6ca638076afe9fcf411

    SHA1

    549409a021ed955a2cd5f4e8524a0dd0a5e1b197

    SHA256

    13cd8349cae8696ad211810b7ce31a6aaec194eddd3a3924d81acfaee51db47b

    SHA512

    06fbb54a5198b596d469a9157905341ed594c8c43d3ebefe7ba8996397a72198c06da73249cba90bdca8e3ca04c4bccecda5f867910cccddd52209d43ad49964