Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 00:16

General

  • Target

    92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe

  • Size

    3.2MB

  • MD5

    101bf38e1feb37972931495c5944a871

  • SHA1

    0e8d5d211d5e772899a73af292879be003979620

  • SHA256

    92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540

  • SHA512

    dd214a0eaa868e860cdadf465d6957e61f693e351682f5090a6c89f9e2d3621bf3d930ca279294346ca47460690c36b2dbddf3422f9c9de5c80a76e16a5032c7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe
    "C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4112
    • C:\FilesI7\devbodsys.exe
      C:\FilesI7\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesI7\devbodsys.exe

    Filesize

    3.2MB

    MD5

    0a15c6e3981868c0424de6ad7d093fb4

    SHA1

    1f2d2af2c24bd1adcd307916134727f39e17641f

    SHA256

    058b3b5d9e87fbe7b9d598e27519861e9c387b4ef1d7abdb00e35f7f4c407564

    SHA512

    ceb4fd60ed7c4ef8a8c713370111e885c8141fadaeaafb5e3a7c6163c58c87567abf07543e20f595422f4ba1642f4796a11ea26d13348949022e1ac86966b52b

  • C:\Mint8A\dobdevsys.exe

    Filesize

    3.2MB

    MD5

    976001ce9292b5870f5043c7c5616523

    SHA1

    4ea445df2a5e1ce383ef61defc43374ebb42b775

    SHA256

    893c6623996fffd89d27308ea6d4406b12193239d28ddcad5ac0a074a039ef20

    SHA512

    018c038a8afe05b417234b8dcf9b1e929dbd04018a8d7b865fc6f24421829983903729d8eb1992fec69514dea1c96485fb9cb74faff03a5949cc088fd7e11a15

  • C:\Mint8A\dobdevsys.exe

    Filesize

    3.2MB

    MD5

    de9ad993bb6ce983af736a980ab2c509

    SHA1

    fe6a9f83c74de1814a8f72e0835ab9e6e5a77d52

    SHA256

    0974cf88e8cc6738010ba48e9eddf600d7dfe30c1291672c10922b0e690d446e

    SHA512

    31ef6985bc4cef0da57427dd705101b142a4fb04ab94a586d27c678ca4103d734cf91e8119fc703d0f1c8fa7040a256f2621babd73dc9371f80da6674f4def21

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    cfd9de7b64639a08f4f3b919e3a4469a

    SHA1

    45a22e9d7666ca1c0b38f9f2920ec8131fb9efe1

    SHA256

    410c273fef158718972a3a3df7487642cb41594816ea586bde45fcd89ec0a8d1

    SHA512

    53b66e9b322d65ebce7505bf3013ef5f167c4eaa51b0f536ddb7df38ae8dd1511dd6e907c47632601610fdcced32a895c562d4bbcad00f1dca24a2fa82cf3cdc

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    37312b02e9d0d0505548249612130e33

    SHA1

    f7fb9367c74aa7ed2620f91021340a6524b69ebd

    SHA256

    70d5708dc2e20a6256b60eef23a7183a4c26c0f8a07b04cacd30c5fe86a14fb7

    SHA512

    db228758e42bfaa2cdf150395c034cd0bf77a7f8f4c258ca4531978bc12552ad08654f4b8df7b21ad492f056a34f7c79c3ab6bca20e201481727023b164e58df

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    3.2MB

    MD5

    d93b351d15aef16320acf10cf3d60e82

    SHA1

    c63aa624e875cbf702c25fefa6f7f2c9c8f81ff6

    SHA256

    ec3dc5684af8ef34fa6a4061c39354a7d3057e0e308ede1e1660216f2a7404a3

    SHA512

    f12a292399558810a0bd276234ee423034b3990d35d69be369abfbeaabf4e53641a7102ea33b44e5a84ceb28224b156e53687936299760be022018231663468e