Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 02:56

General

  • Target

    a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe

  • Size

    3.2MB

  • MD5

    bb76efee35a2850833c15c917a07cf15

  • SHA1

    9299bc360eeb6e3fa29fff85178e881a290be4c6

  • SHA256

    a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996

  • SHA512

    d5e25ebc5b6bd6b96b3eaa37a14214408e8fb211f38e95ce8a863ebce06cd2fc44d1a3b4f2eb128a15500a3b16c8497bdb987709832b9efb3221330300bb7a03

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpqbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe
    "C:\Users\Admin\AppData\Local\Temp\a9e73729c502f464c12c9791f74f6fadf865fc1de9dcf3e7946bcd60fe872996.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1464
    • C:\FilesHK\xbodsys.exe
      C:\FilesHK\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3668

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesHK\xbodsys.exe

          Filesize

          3.0MB

          MD5

          f159d0ea35b9adda7be63eddc95fcad1

          SHA1

          11b2af80c1f16215e3ce8577d63b42cd65184eb9

          SHA256

          4f2351f92707a1861b760da87cf765906b0d7f3058f75b66edffbfadda9c553e

          SHA512

          756f0599d59c6165bd0fddf4bb99b8c9e375f34bfcebce503384901b6b26e36ef226ebab79f65f2278eb3d97236614a0401c679f280153341508689a2550b1e8

        • C:\FilesHK\xbodsys.exe

          Filesize

          3.2MB

          MD5

          461ada0467cedf2751fb8ede07e303f4

          SHA1

          720f69f093712485c9f6d7203702843c30131c46

          SHA256

          fc758a7ec5d2317f8c57468e46475644946df717ed1e40e3b5a63dfbac6de27c

          SHA512

          99771e44bc2129faf35baf1119e03ef81affc7c34cdd9b31040b8ffe14791d8c70015d98e7db8824f35be9582aa44cbb61d9a1575ee8a65445df89d379bd6597

        • C:\GalaxA3\boddevsys.exe

          Filesize

          1.4MB

          MD5

          0b40ebf7c96e3ddcddc69e604ff2d0db

          SHA1

          317d28680097a82ac6077bf2c419ae9b799b7650

          SHA256

          e7913f442d1d4c78dc2849b0ca1a935c2191cd0c206bb5bd173969be96c3a2a7

          SHA512

          c8459db7801d96806ee843d7f95e44dc2f9d85877974decd81a5a95f0ff53014960cf7f35a2ca28158fa1b29584e5a5655f34c01be468fdb044f45899a24232e

        • C:\GalaxA3\boddevsys.exe

          Filesize

          3.2MB

          MD5

          95cd68785cd59004b5e8e537db22d2dd

          SHA1

          63fc1b413f6787e08c9aeec78e3cd5ad53679fb9

          SHA256

          bb03f6aa9e5435ebc3b8fb45f915e909679601013f12b04e42f4f99546bb8e12

          SHA512

          2f53e5bf33f88ee9eefd9a43cd92aae8724e326f6927ac3c41ad32d55740d8aa2941aee3968aaf0732d2ac20b7ec0d933f05570b559426d6751322e04189be26

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          3187b896cb3ebd9b31cd812640985c80

          SHA1

          de67dd5c53b505bee58a17e903c12cdf15603c95

          SHA256

          c10d73e043089ec9ee09271f1c83e18a2ae26ff441c6ae4879e9455d6f775417

          SHA512

          603cbe2f6e3c2520c33390263bc641e890797d6b4f5921fb657f683f1cc02e16d9a5c2e705b356251be2bfd097e3b0457b56590c8b4f1f78e1cafadb32a2e7ec

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          03e7de64b8a8350da6bd26b4ff859305

          SHA1

          6a66ad102d441bcc0e12f0bbde88e19c7fbb734d

          SHA256

          d27e44285549f5be4f833a9e54d144a5b662adaf92736c6974bb5dc163314537

          SHA512

          3fa7609abbf786c9376703a359fe635b9b220304b4c184ba9f9d0ec6a7657f286bab45a328ec338ca81abfcd1163db8a5f0a0e1a8625605fcbdbacb2de69f4f8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          3.2MB

          MD5

          b751be73f74a7983430d0a890b290d7b

          SHA1

          1d47b1a46cc3e05802298017189a8d58366366b7

          SHA256

          d2baf29b20f85863eb86e68348b40decf9680ad949ce51eb87c5e581bf703c31

          SHA512

          c3b9ee5c8cbf3dc9d67e3c00c1b089cc275bc702be5960ac06fd2006ab760c8d82a60b7e3acc6cc8f3cb8e515b2ee24f6df2bea835afe497bbed9466e266eb93