Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 03:13

General

  • Target

    b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe

  • Size

    3.3MB

  • MD5

    1fb36ec40b8dac633f226b941c5c9ed4

  • SHA1

    0efdccfb197b85637eb475fed1fa218ce61a1149

  • SHA256

    b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e

  • SHA512

    591b6de05eb65b818eff346e201bbc4477aa162b7018efa2c1ea7cf2abc7b286b18d90c3fe5395f7852ca063ceb7528f1acbc4b8b18e1081a70a8aa4f0a0e9d0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8:sxX7QnxrloE5dpUpJbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
    "C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2252
    • C:\IntelprocDR\adobloc.exe
      C:\IntelprocDR\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocDR\adobloc.exe

    Filesize

    522KB

    MD5

    34e55fc830aa4dac25e00e94662d581b

    SHA1

    7a15601395c1b074a34d60fc889b210d307f2498

    SHA256

    8a7216a18c65163f1556a77fedc0d5afc9b67cf41dfd2d6044f7ad44cfbc2408

    SHA512

    904df8f603b98a7365b99584d38645855d596d7b99ba55827b61c2fbc53a7fb2c6f6a8f6f541c4486066b05fd8dfcbae6cc25ed1610f3bba46100224e31ed434

  • C:\LabZXT\bodasys.exe

    Filesize

    3KB

    MD5

    b85ef880820ad2f02706b10170e533fb

    SHA1

    71378239fb161e35c8f79d7a951d7d09d4f45b33

    SHA256

    824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78

    SHA512

    f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3

  • C:\LabZXT\bodasys.exe

    Filesize

    3.3MB

    MD5

    90845a76e15095f7342010077c8fb40d

    SHA1

    27cd7bf49776828f50334dc358293ceedf8e14dc

    SHA256

    48b270e53ed6aa45cdc072786ebd7003e5d0be58d76916467196252db9301e77

    SHA512

    f5da0656c11786c1c3e35ab1302c3c78c9a75c88f5ccc4b1e5e94d9627002f6234cafbe5b43acdda25d5cf6c8548c7b54951b5ffd8a231fdf27dedf18f3db168

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    b1db7a664897205c73c197e1599b19e7

    SHA1

    9dcb0ccd281d749fcba265b8993f7467c204d6a2

    SHA256

    ab997b37462fa216e7b06b1a1c11f994bb891273573b6341458a23966c5c5563

    SHA512

    553fa92c5c9548f4dcdfe65544bec18f940836e7f7d8c4b29f44d4005eed94acb58e9c2052ea9d48373c341793363dcb73559dd95642583a44ef8637656c02c7

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    e2256f5c835a2e2dbbb6e3fd8585fd1a

    SHA1

    1435f95a17a3116288f3de770c41e0e56c1d0c16

    SHA256

    9337a3b0b8c614674714cf812f124609c6167d30f49d4b9604ddac30e1235d95

    SHA512

    742d6d5b7586346a7e41e2226b1c77859e8c7ec1fe480b066df70688d00d9adcd877e5ca89922cc17fefbff0bcb9b3f49ccffac9f60d6c043617b2ca4f392ab4

  • \IntelprocDR\adobloc.exe

    Filesize

    3.3MB

    MD5

    63f47d33ea49b7a5de5b4aff11803314

    SHA1

    f87e873c6f67c610c88edae9c333c706467894ec

    SHA256

    3fa786d81f3683d2b54116b105290b10cc996e166c1de1980a036c32bcab853d

    SHA512

    d21ac3d78b3f8f4f6eba15c584adb49a22e2e41fd097902d8aa85a0c824fe4655bed3ce294f1784b3c9a91213f9110d4f60f45009f91db3d51aeab8fa5eed622

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    3.3MB

    MD5

    a055abe5acfdb90937ea0c702d68601b

    SHA1

    d87d3e523554be131fec534a6b7336d8c65ffdbb

    SHA256

    e2ded75e96cb032b7424fff79076346a3fd64fe4d6e0b96e36222c850c672d38

    SHA512

    b4587140e3c7a8b852464842a15dc652278071cfb780226176ec0918d5b78e4c1400f36e469e3e029b3d605a46ed6a447cc41216b59788ce974b90c40ef54e9f