Analysis

  • max time kernel
    150s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 01:40

General

  • Target

    b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe

  • Size

    3.8MB

  • MD5

    7119474195def2bc277329642d74f37e

  • SHA1

    8c9aed1f5b9183af9021ab64641a792000ec3f71

  • SHA256

    b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c

  • SHA512

    20bbf648aaba9e02a573feef5e539e98820ae7ea517f5d9360f9ac1107bdd6881c834cac2b4059c77c4454fa753b51180fb90409411c4dcc4eb23d302c9536f2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
    "C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\UserDotJU\xoptiloc.exe
      C:\UserDotJU\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintW9\bodaloc.exe

    Filesize

    3.8MB

    MD5

    900328aba977742ff8979a480c976e1c

    SHA1

    6fce4494a007f4cf785463f9b16db49906c718c0

    SHA256

    c099000a867b40de60302dab0c1509439c2d73788d41b2f9c9ed870292a955c6

    SHA512

    d5c14f1104ad4d12747430cecd19745e63fa885ba3e7c59fdcae0f731d5e3f247465d448c70a31e061ed416b1f117d2dc09a66aeb025a0e37ab70a8a3a7b32c6

  • C:\MintW9\bodaloc.exe

    Filesize

    3.8MB

    MD5

    cb27200c9346b5193c3133ea3b4c4894

    SHA1

    6aacb4723733ccca36fd90ea7ee68785dbb2da47

    SHA256

    20e1b7e844c1a51d0a3c41b95be721834be011330f5da8152a7cbe2454edc1b2

    SHA512

    2ee840857c7fbc5ce4992692c7435770dbe083be24a5a000a1c5dd8685647a2c20ae5e5a030b955b15e9ddfc3dbbaadf11c4908d397cfad997c5b73b8734c89f

  • C:\UserDotJU\xoptiloc.exe

    Filesize

    3.8MB

    MD5

    32afced78b14af7cdf52a84d87e53130

    SHA1

    20a4e5b24a54023b039ef01fb1fd23aba0d6c0be

    SHA256

    426c0127251d2eb68475c9cedecf8b2165806723ba3441dd30da9ea1da9ae091

    SHA512

    a36dfae207fad157d45948162fef6218c5305841dba97ff91bfa5316c4a7a450c6781b8c5f38271c4214536708f9e7b9d74d67fcb281e75f527b0aae7d2195b2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    593361f96bec857f1779812bc11ef966

    SHA1

    8249d6a1f4f4ae36bec433086df80992564bdcb5

    SHA256

    5a5ed51b32c58293a73307033fba5091b46f273e056f7857b5ddb8ab3556ec8e

    SHA512

    2ac57965afd1189862db29c9990aa99ac3584acde6b145806a9e295d694aa5ea353b6a95fc0045288c5ae9da9c405ea2d038fc63ac37e29b9d8bcdd67cbdda09

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    829d79fd000ac76bbcd24287ecc59698

    SHA1

    92c310424bcc924cf86ee9cf68a70b30ccc70ec5

    SHA256

    dfefdc6e9c9b16c327755dec15d06909021f1ac71f022f4e439eb4ca93a25946

    SHA512

    f7802ea43f1f14e8e8e9fe3015b0960224897204a10adc421790da032ecd8594ac5d83db1567bf3a1f63efc7f2d1cdcaa80de8704b889d753911ac15cf17db29

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    3.8MB

    MD5

    6dd5c949df6af8bfc92edb5ad27b24d2

    SHA1

    076e2659e11f886147e2247504d4df39ea828d14

    SHA256

    1b4843c289cc5c72092881c90f3c9c24b0454331ea00893b078a0a2a75d9746b

    SHA512

    8c09c7640726a609615df18533e350852b038d067cd8bc23171ff0ec70b2f1653fa59d651b7536f93374d7d34affcabd9d0c5bb44fd792dcddd960a2e015b69b