Overview

overview

7

Static

static

3

3455b0b687...49.exe

windows7-x64

7

3455b0b687...49.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 21:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe

  • Size

    3.2MB

  • MD5

    4162ddf5275af7929f36bb4f04a80ede

  • SHA1

    20b1c07822775fd6523d2b876d940d76aed79b5f

  • SHA256

    3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49

  • SHA512

    dfab67b475476723478145be8f3faa7907004b173e798e46d74448e1ca0fad8885695942ab1f059de26abcff15ec7d2e730779ec085e972b30d66320a0c70d90

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
    "C:\Users\Admin\AppData\Local\Temp\3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2128
    • C:\SysDrvI7\devoptisys.exe
      C:\SysDrvI7\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintRN\bodxloc.exe
    Filesize

    3.2MB

    MD5

    d13a4b76a17b7e9380ff2a2df3b3e03d

    SHA1

    b675595279066c853ba487ed61886581f8ab1acd

    SHA256

    69418f1769a9b73c0821421f4e725873f3421d84077969c12b7fb3b851da7414

    SHA512

    766e1074f05eda91ab8c0607e4a79dad0953bea04607e7078bf25ac7b6d588db37083c0836758be7720960c359f243937379801ea62f83c45227186d0e5b339e

    Download Submit

  • C:\MintRN\bodxloc.exe
    Filesize

    3.2MB

    MD5

    845ea76fae4644e301a0c8f392f31b74

    SHA1

    f1071f58de831e606b159a9a6f141f27f1b2ea94

    SHA256

    9628e9d64466505901eeed3c09756927400a98cec11c315983206ae0c7046a1c

    SHA512

    a50440a3c65b09fee9e8af23362702697c2ae6fa5add26d13e3286bfae7217edbd50a728824244a66302b73e1f088ee57c46d9db8b4229355d7d82568f397601

    Download Submit

  • C:\SysDrvI7\devoptisys.exe
    Filesize

    3.2MB

    MD5

    950aac5f02593b60a7acc39303c0a0f0

    SHA1

    d9de9aca942392b2bf68544cfcbba5d202071b7d

    SHA256

    460e43aaae85fd18c8f8de8aa7dcee9696ba21d7572045daf21ff1debbe05094

    SHA512

    8f54677a981dde0971fcdca20d93ed2fdf307739efa9a0ed7beb507920d3167b19f9f5595841738fe66cf0733832c05363f69cbafea069cea3dd9caebb688b83

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    172B

    MD5

    a620defe2c7980e403ecafb437b982a7

    SHA1

    52cc8f7d8323a8b39af7ae67876a750f54686689

    SHA256

    fe1997d4e4fcae3047c6637d53005fdbf96c437191b3a5452d0843e7bfa9bdba

    SHA512

    465a37f0b22560263fc2f0bdc58aadae46846b2df2874fc75bf764eb2a9315e094f5ad084e5a123589370830ae9edb47dad28fa12547d8797ac5cf338d17253d

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    204B

    MD5

    fc1ee109de6bfdd2f182665d82872681

    SHA1

    66a7bba26b363efdf9a1f6df2e5b9b22a037b345

    SHA256

    291280ae7678bd32faf368e533d68c2a3ebf4d5b6b37c92be3794bb2e28b84db

    SHA512

    de3841bc83a15dc9de7548fab56cbbe769d613246d23c2a6609ab0bbdfb02543c63393f28f6c84bccda65a3f297c249734a1d9048d9b6fbcdbfadae7e0cfa6bc

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
    Filesize

    3.2MB

    MD5

    0234666b88fbe09b0304699c1075fe58

    SHA1

    7bb526d5a778e07d25f8b72e5c65eba16f1e8b1d

    SHA256

    c8f600813ace316c35ee651c985a4e39cbf9cf9c036879633774d8c0f3f7e4a7

    SHA512

    a4477b6371a38635ce2e3bdef373a6622554807642ac023f073dc295933e419504683a5d3fa79d09878e631058177e9659d487d4b269a529ba471bcec6fb02cc

    Download Submit