Analysis

  • max time kernel
    119s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:26

General

  • Target

    931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe

  • Size

    2.6MB

  • MD5

    2ead6a6da90bc4921365d428319a4d80

  • SHA1

    8c5ab884a871c1901a8223c9295db1b6125a26dd

  • SHA256

    931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6

  • SHA512

    4de06daa51637c60fd04075a5ad690a7443102e55b612171d05149242236653f9617164b56670bb0bad703816063d4aec24e1cf08d0624e1be369659a8e04f85

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bS:sxX7QnxrloE5dpUp4b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
    "C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2648
    • C:\Adobe2S\aoptisys.exe
      C:\Adobe2S\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe2S\aoptisys.exe

    Filesize

    2.6MB

    MD5

    0989c9bded972507425cfc7c9d6e1d52

    SHA1

    8efb4781988c951b3315b45be44b1e37eb6c5caa

    SHA256

    2003557d36e91b554f8ff23416425a8d51479c3f222e961e6e1a4dbaee30f344

    SHA512

    7aad8ca771efb217dc445a132b98e143b892332c8f242768d214a6d2fadb008fe6713d664f8eb7e5c368fbccb7e43f774aa57e5fbdc98ed426026af80c9a4564

  • C:\KaVBPP\bodaloc.exe

    Filesize

    2.5MB

    MD5

    dc9063c9d844a831416e915be278d64c

    SHA1

    18230f54a21dd7bc9b72ec322e6f974e294df9f5

    SHA256

    bfb2474ee9490d23dd43dc3e6f56cf433373a8179f75f0997a51d4e6dede1e1e

    SHA512

    d1e39f2bd6c2a90f92a80f4465691cdfda4984c96b6bc6d6dfcb69c86fd571c8792043a8c2b128cb9ac6fbf458d808efe662c39095a28aa8868b90a25490b43f

  • C:\KaVBPP\bodaloc.exe

    Filesize

    2.3MB

    MD5

    3a9ea6e303e7bbdad270ccbe8d43749e

    SHA1

    62bc973af0455c45452b139e6aa1dd898d66e306

    SHA256

    30006f1472757406678fedabb2f8bea131cd070f4b80a8c861207dc4d684871c

    SHA512

    2a18070bdaf810a6e6c117b80cb244a4a2e9539d43a22306d4632071acde27fa0cf06e143e8b9c199e4ae918edcde0d777820fc85086413efd97458b2dcad1c8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    0a8ab44ba78003d3b3e9ce9c6d3284db

    SHA1

    d60f18aee0c8ef388c185ae6d857a6293a6d39bf

    SHA256

    6da6e1af935af6630d9ab7dbaf3188f7a3cb88eb868d4c46f20b16da436618d1

    SHA512

    b6222f4a8edaf1f716d7ec9cd85d8e8504a3b1cb26f3dd4d1fb400c428cfaff67d0d1f783c509b1f83723204c26d5bb86ad2068d0a8fd437ab0664581384e3a9

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    7871a413b0ceddb4a077e4212407ac2c

    SHA1

    b2acc5c3a585959f71dc770864770d51d00515be

    SHA256

    b46659c7d0c276de9160072464582a91f28519c6ae4480fb25551cde7964439c

    SHA512

    1736cfeee16e27f6e59806502d4596f1c634798aa70bfa11da62cefae490d5a8bc62fe2215c113704aa512c7a5eb8c019ba6d8744c2fe83656aacab2500bc234

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    bb3214d13e6cceae764f067cbb7955b2

    SHA1

    44a2aadddc4fb6e45025369f7a857bcd82f222b9

    SHA256

    5b3d7ac65f360664a58a5e8e0395ba3dfc16cc0fc318efed59f3f9148711e986

    SHA512

    f55609bae070d2bff26e4a3c982de2af606d180073ed2ebbd05bd4def99b9d03173a3486e9ff3c4db602c43dfed0dd06d85d499c7c63d736a42286681f5c3992