Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 07:51

General

  • Target

    bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe

  • Size

    3.0MB

  • MD5

    523fbd55cca2fe1441d09a1ebae2511d

  • SHA1

    30ad07a2b2cd23c40e12acc6b7517f615844b0c0

  • SHA256

    bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14

  • SHA512

    14534a35d7ff83c538caeb1c5c38193cf10468dd8c7e740861a020815a8c94e678b59d53e97c5e09911a31d168a113c2f3d4d745447ab4989efcef6e8c716fd0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8:sxX7QnxrloE5dpUp5bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
    "C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2204
    • C:\SysDrvNQ\xbodsys.exe
      C:\SysDrvNQ\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvNQ\xbodsys.exe

    Filesize

    3.0MB

    MD5

    11ca2abb1f93a74ff54b9a1fe3cf73ed

    SHA1

    19a572bf821da3ca1169c608e63b875f89b520a0

    SHA256

    5a71b8e5658f7ef5f14eb3043b3a6e1130344ba2ed0e1752636b7f805ac5e24e

    SHA512

    abee3685bb789e00d61639a0e74ec142d045008ba24b8fad861f4d79835b326f928e312aeb330e76c8e2a3d891b5bbf77d4d238844df421884a289a6d390aec2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    41282c20d3df78ecb481da4c2718483f

    SHA1

    4296bb39acd9197d5617f78714a8cdeb67cb1584

    SHA256

    23fec033385630b471dc04f5a10e9cfe1a8d83ee607a66c6144c9a44d2a871a4

    SHA512

    23585ddef017220545aae8473d80c963890a2dafa69af71c515a8d2df74b228d01d73a4b7ac384d20d5e6d9519ea352ea9204160f80ddda3be2a690de544d5ab

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    bca3f281bab7d60bf8679c9e300fd3ba

    SHA1

    b219c8b8d5c1c146e27ab9af2a1c9399e20c1876

    SHA256

    f47b731b871d96b98e1e46161ba4413b3b03bd557a3321339a96416c757af65e

    SHA512

    4cab0f3d798d42cf21729e22c4166a95ef39b0205b7a214ba49518e13e5a1874c447a4b690871da3253bb5cfc388305a408b4f1b59256b2d3e3de72cdac1e75a

  • C:\VidJA\bodxec.exe

    Filesize

    3.0MB

    MD5

    1df72a5f419cd989749cfa257427ac64

    SHA1

    199d60c902e06a09678d38af241deb9094b9326b

    SHA256

    ffb6ae638d3c49a3583b6efc778ba3bff2e36d4dc4d671fc8bce79311394de32

    SHA512

    80455f7d288ee46d06b47c82600c78cb11a0fe750f7067d4bbdd6f9e65e91241c473e6dea7556c639c0222c15c2fbbf5d1e7b537a10eb2bcf2083719dd5aa33a

  • C:\VidJA\bodxec.exe

    Filesize

    3.0MB

    MD5

    34d1a616b06664d0cb471894df8aa2d2

    SHA1

    009337a68583b5a82611dafc98f158a1491aff62

    SHA256

    5dac4e202b7310781a55babf92d95a9a055a4d1723c113883b66ff1b2a99eeae

    SHA512

    f21ee2cb7acd68d1ab0501ef14275da6b8839990a12d522fb645e0e93144e1cf859b830772be055155ccca7ecfaa0afc3172969d2f267cf85470dd1d4e282d31

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    3.0MB

    MD5

    bc852c432427b7acfd75b5629944d6c9

    SHA1

    2cf6ba6de334055bbb3fdf7b3af4ababa8050bdd

    SHA256

    43f512e6a4daadc3eea9fca3f71747905de8e672798dde0120acbe10d6904b73

    SHA512

    bdb67d84b16fa2f74b03a3e4a7774f51724ba3b86a7224bc57a3873ac0b141e6dfbcb0d9f68f212897f14ea9fb8014ba3abd985ae7ca4104ec8d86014e057a78