Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-08-2024 13:18

General

  • Target

    89f0a8937d38aa6f02fe4d6f1307ff50N.exe

  • Size

    2.7MB

  • MD5

    89f0a8937d38aa6f02fe4d6f1307ff50

  • SHA1

    66e96d14522742f99cba82e3609182efa553ae71

  • SHA256

    94763c324c24b5cefe7e8ba941545c4441ad694c2737c46f74638f87e73a8e74

  • SHA512

    76f6263b534e76ed0f01e7feb62d0bc8e57925f7683f09735b7c784b47af7cc19e100174d5131fd7bae1371033a158603848053e40bbdb598ec1b6517d9ea243

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB+9w4S+:+R0pI/IQlUoMPdmpSpQ4X

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89f0a8937d38aa6f02fe4d6f1307ff50N.exe
    "C:\Users\Admin\AppData\Local\Temp\89f0a8937d38aa6f02fe4d6f1307ff50N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\IntelprocE6\xdobec.exe
      C:\IntelprocE6\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocE6\xdobec.exe

    Filesize

    2.7MB

    MD5

    e44718aaaa0dd8dff948042384ca08c8

    SHA1

    44ab09f29f5d676b0d52a961760d36722846364e

    SHA256

    c8c2132aa49b1b0788c6c89b4c6168a344db1366e0c214ffef0874a2f5d6ebcb

    SHA512

    faf33358bc41ec7a3a2828ff6d5c8f00902f65740cbfa51f6d4df419f08d7c0f047dabdbc7b5240acd8faaefd9cad4a116fb4b9c78db07e847040675d9e0e332

  • C:\LabZQB\bodxloc.exe

    Filesize

    2.7MB

    MD5

    2dc7b43f81aea04e8296f961543c1078

    SHA1

    4519f5e56db26890abb4a1335d18307e7d2eb671

    SHA256

    9ec290ed5e1195a3a537aa7dbec90d722adabad0dae92d1a6924e56d44d17df4

    SHA512

    0b4f7e0f51919869bf8365b1ef0188de1c10ff21a07c988481526ec0ff724c02b660553fb0239d18f7f4f812627b967c6d1a674f58cce36e660365c85a81de03

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    b23f28e26365d2dfc2bd1612307b1110

    SHA1

    57a84234363a9fccbd3dc9e74712f43b135446a9

    SHA256

    de915c80fa281ecfd17c62d3b3c2abdf6b3d7315b3806b40d8add5794d8be541

    SHA512

    8da5027140336c7645e02beacaa6d2fb52278538fe5d0de38b5f4674b0da040342423c399c309b4bdabb9702b8c114084d756d46a9cc36ea459c8e8aa8a1d1fd