Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 00:16

General

  • Target

    92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe

  • Size

    3.2MB

  • MD5

    101bf38e1feb37972931495c5944a871

  • SHA1

    0e8d5d211d5e772899a73af292879be003979620

  • SHA256

    92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540

  • SHA512

    dd214a0eaa868e860cdadf465d6957e61f693e351682f5090a6c89f9e2d3621bf3d930ca279294346ca47460690c36b2dbddf3422f9c9de5c80a76e16a5032c7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe
    "C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2396
    • C:\FilesDL\abodec.exe
      C:\FilesDL\abodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesDL\abodec.exe

    Filesize

    3.2MB

    MD5

    8858df96e6548a27423d10a0f193afd6

    SHA1

    3dc5dfa28fd5f6844f3a66cb043b43b6127e72de

    SHA256

    c2c5958ecea38409923c98dc722ef1bc491e1489687e69f8705f7261b8fedb63

    SHA512

    a0b9155854907e7aecd9ef2565b2a5d2e7ad3bfa06a7a400aed2976961a5c71feffbc71258665443cceccc187396eccfea2ebbefbcc33285a832936d9015b510

  • C:\KaVBHE\bodaec.exe

    Filesize

    1.4MB

    MD5

    1803b2adc5be774fb431c33a5eb8743f

    SHA1

    be5637b16deb89e3964a2f7bde7d0fd632e95ca7

    SHA256

    7cb7f2ec92a8aa5eafa1bb9d358efce628715689e3be5758f213e4673d3e8e4a

    SHA512

    7dc738b91ac81dba9a8450183ea746cad8fe9ba27351cf4aac01e9483c468d3f82243d23eadb66c06865e1476a6ba76da4e34261ffd24854a16001437cf8b358

  • C:\KaVBHE\bodaec.exe

    Filesize

    3.2MB

    MD5

    bfb926bf00e893793307cf8355a87908

    SHA1

    b4155cb9acfc66009ffa6a64c47d01588df7f346

    SHA256

    b9b78aa09500939dde85c3c376fcfa47805073bc3cfef119f2613c97344f724e

    SHA512

    cad23633ad9bad74e544227ea25d4c4989fe356b60e70e64ebabf7a8d20c1129470df72c5feb58a279acce72f0f5e815f52aba603d4ae79ee3350c6e509a8436

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    e7f0ebbf0f1a022ed50b7990eccba830

    SHA1

    2405303823f01990616b3458c7b8d2682632fa0c

    SHA256

    b8c6dd63b8140c096c67e9cbd83be9f1abbe4c921e6ae153516244a2b2c17ff5

    SHA512

    f6d0fbbdfafc81376619d319f36779599a09d98db6ddc0870a1d4934a2cc7e38aa85023d91181c61821dbee25585cfb40ff19ae77f8481bb2c69fc0683014a2d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    3a60189ee50a8544ccae5472fd8fc41e

    SHA1

    ca05c3a9b46972c2eb04afb7c405c3f2b3b21785

    SHA256

    04145af03ef5057778a3f84710600021841b7418aea8927e1254de0097e893de

    SHA512

    bade3d6c7def7d43798dac78c0e993ebda00382288776910673716535370b24c919c0e9bae4dd5ced282489b43e74c6818ac3c6c11870e61b8612a4832f310c4

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    3.2MB

    MD5

    d100293f81bda9a9b45c199c94b2cce1

    SHA1

    3f58321fc6929b18ad98e7de03a39d17e23b9175

    SHA256

    1375a5da0041f1c3c69ed9f2c94cc428359af24c17d18cf056feefb9bc506526

    SHA512

    6fe7cdd43eb38d13a5c477c1c487c2a6d3ec3e6f3c77c2a2456055868d06fa07cbf1d1d01592e12d648da28add80a5134d5da4a6bc745439d5e6b5a912fe33ee