Analysis

  • max time kernel
    120s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:06

General

  • Target

    60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe

  • Size

    3.6MB

  • MD5

    52e077fa15122034a64c117e7808ce20

  • SHA1

    36097a2e0d084de643126e98ad1f2888b55b61c8

  • SHA256

    60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353

  • SHA512

    1a499fb6d13595813d49c92e5ee09062012f7350f14e44ab2732d740877614db9a2ad2679ecd0c659736ecf45e35e2599c5c939592727e68d03240a2b4896edb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
    "C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3156
    • C:\IntelprocKM\xbodloc.exe
      C:\IntelprocKM\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocKM\xbodloc.exe

    Filesize

    3.6MB

    MD5

    02e0c9080d727013f9b350bc37565585

    SHA1

    533c0f640e88c4d9a903828869d5e8282eead35c

    SHA256

    5f130dbb1eb13bbdace86563b476e1d6ffac7f0e14004fa41122663f9e58c5f6

    SHA512

    e373016c6d90d46efbf59fa1b4d51458c3e847957703a67bc0d7d1ecb70f05029b326f1cdc625070a4d998e9bb62388e5d8a2f9823ec616df1290793619a2a28

  • C:\MintEC\dobaec.exe

    Filesize

    1.1MB

    MD5

    89cba1fb1a4fb83a1bb886201d7cd6d7

    SHA1

    3e05f006a719f7f0aecba2cd1fefd33e74b99536

    SHA256

    16372c0d6174081d3e76cee61915f9032fa97fbdf4b1fbf1359739b440457e2b

    SHA512

    ef5c596c826a1acbd07e80438cfdd728244baea704d022a92f3d5dbf6433d6a2a156f77f7d8b307c023c4f168151d1d942cbe6960372304b2bdfeea0c2782d64

  • C:\MintEC\dobaec.exe

    Filesize

    801KB

    MD5

    f3f696f4a91c272a473a0e4c3888def2

    SHA1

    5a0e26733680d6c69d92431efdc909e41e1b6726

    SHA256

    fb076ba47fa182f3a83e5adf54d7dc3674ffdc975482264197dcf944b2ca9bbe

    SHA512

    5b49998f7ffba2fcb54907e8a6cafb624dd3e0118cc2fc1c2b0365df74aa5470aaf1bf15795e4e809eb5f3593dcc93b7b0573eada765219c8efa8bb74d39a73f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    de914bc8387ef1ed79e506c3d89ce47a

    SHA1

    125e27b52f781ab4bc29756a2c5cc1e010908760

    SHA256

    b5b8f2f5fc98aac388f013ec89080501669c312dd70505080ae80c58b0b7e723

    SHA512

    5d4f3535ff55cba19471bd4ea682ec6c9e980488022163dd3908ad9b07fe90cd80f884cda9958e093a715334d4c939e2b1aeaf3db67d874953ab8555516a982f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    09f0cfce8c8e57bf13dbad0285425f05

    SHA1

    ce24702d19efe0f2636c6aacb7ec82ae4a960cce

    SHA256

    c527bd8029b067e3fbddc684f93fb7bd464a07fbe2d67353183cf22fe996f567

    SHA512

    ff36b96655521086f6728af408d9e09cf8db22822ceb5d566247379ab1f53774c8f6467384158e30ac23959400fcb2cf2399b3f1ff8ba24680f69efec5cd2a12

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    3.6MB

    MD5

    af8aa649d739a2c0613b36b142081aaf

    SHA1

    87c6e8baefe9c2dfbd02800992fefa3a19ce8e81

    SHA256

    94e3b37a614f66b2cd4f927ae4da2587be3d8ef5ca178470bf102080db43967b

    SHA512

    77c6e0226b6e4871297b9ddb7d46924a2875060ce74c86187fcb08ce782998b1f039ae1ce9b55965cd9437f740be8eef1e1ffcb47787b514772948518b12765c