Analysis

  • max time kernel
    119s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:02

General

  • Target

    e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe

  • Size

    2.6MB

  • MD5

    5a24aab9c57efbeeeddf8a3ab6fa1830

  • SHA1

    806fd05f97b00c41e8f22905e1b9eaccf8d75af1

  • SHA256

    e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952

  • SHA512

    841d09a3b7c3d91936b1574dc2264a9b54a0177d949836ea8944e9fa6f31a77df0a32b049aa68919cc7139ceba699f2449d2430d2e582363d7235a52530bf4fd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe
    "C:\Users\Admin\AppData\Local\Temp\e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4780
    • C:\IntelprocQ6\abodec.exe
      C:\IntelprocQ6\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocQ6\abodec.exe

    Filesize

    2.6MB

    MD5

    d386c7a016a8a20759831d8496c7aa54

    SHA1

    2c223f074a8642b74ac0ab7fef206f94ad766b46

    SHA256

    a2e5331437e98e39aa7890227da0067dc439680601ab8fe804983e34043ed53b

    SHA512

    d85ea3180d1d76c4d252f2e27932f66db83c2a4649d6c032f24693efafde6c1c2cf326f043dece5e3f8f00b65e781a086d636f10e09ed2d7b605dcc8a1bc6f9c

  • C:\KaVBHT\boddevec.exe

    Filesize

    1.5MB

    MD5

    6dbbf1f907c56e4cad9f07068b1440d2

    SHA1

    88a01d378c85aac6c6b673ffbb426e22d5188b20

    SHA256

    bb422b4f32d37c847a7a35f14c89f9432bf2f26cf9f9bf68c0cdf60b9be7c48d

    SHA512

    e939ee70eb8fa18c6e718f7209fd15a01ed7cfcb49e08a26e730236146505be58f77ef0cc5a64dc27ad0d6f4d01d430cd83c8708d4c2d3f5c88b6b3870e1f742

  • C:\KaVBHT\boddevec.exe

    Filesize

    70KB

    MD5

    b404c7aaa8aa55b523a16fae6df249de

    SHA1

    fbf4c29f207fc0b9d9ca8a8bd5aa67256c7d94b4

    SHA256

    d92748d084a832eea50c136997ecad3dae55d3ddb228417ba2a85ff99276895e

    SHA512

    24a56e9a78fa2275b43c1b04521d20088c32df7e25060e5443d0fabfcb71ec6f63e723520a553dfe1d8856aa1e8e10a73d8a2b3333f6ea4c9c0aee9c173d105d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    206B

    MD5

    2949afaf12b4c4cd32e13bbd3cd56373

    SHA1

    7cf84e327f890e9ad10aefae872270152f84692a

    SHA256

    c760abe583d5de093110940a03c281fca70eb9244ef8b3a6e10f15c3870265c5

    SHA512

    fe94410b95de3c991b236ed651ae926133a6ba4b3c44b123eedd20b18c8f2b84a2ec4f68a7246358e9a4136e69a8f136461c97b1f594bc5a0cb9dca307027703

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    174B

    MD5

    5bdde765657dee266953a6c2e4aaabd7

    SHA1

    c44c93e80e00d0b179fe702a0d0faa5a794ae04b

    SHA256

    7f3b58914f9b6728823f3eda46ee94559eb2b4fabba09e11d9e1dee1198e30da

    SHA512

    8e22c2e6ff2b6b2fb66ab170cff6e108ada5ff654a5fc3881750b1bc6e71a366aca6dbc51b40bab70b06f329f0c61b8b261d9f37159801b0d9c8492153722380

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    ee2310887b30bf0a05bec8bc7e37171d

    SHA1

    46aee67fc1facff25bb8fced054c9ab42e5714e5

    SHA256

    ca5f0940c0cd6ca1c812d03821795cf36e7ba1d6abcdcc29f78d0313db561024

    SHA512

    3bd0c171ae3f0c3a2e9315bb9ff1afce2068046b82b8b760987da1441b882c3a57ea9e0143bbdaf9e02b774de547ab08e22cf2b9779fec5cb68db191c1121697