Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 16:58

General

  • Target

    fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe

  • Size

    2.6MB

  • MD5

    472bd8b04f1ef850d7444b945f4b4b10

  • SHA1

    369f37738c50768e1092c6abe618d6023d484e65

  • SHA256

    fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3

  • SHA512

    83272470b2d06ab3dc2e67afc7b224f6ba9df5b8ccebf9c3dc9f8755d1fd9d3d7b4eddac4f18d145cdbb57dc8c479316bdd87df09dc5325ef2b45c1420b9c117

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
    "C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2412
    • C:\AdobePE\abodec.exe
      C:\AdobePE\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobePE\abodec.exe

    Filesize

    2.6MB

    MD5

    e895e667bf68e89ff37fed6cf19605d1

    SHA1

    0b3d87a0556d0cc2b6f445f6cc93d05607b3398d

    SHA256

    d78f5779f21b217770e6add6f045d9e3d0afa4821b5d5d8565668061fcb8ddda

    SHA512

    2be9db3dfad74c77f8ad02084ab7bf6a500ef0a13af51fa33772343390d4a9d97f6093352c3686632e16228918f3b6c25dff1726643c6851ea1d8dc5b38e9768

  • C:\MintP7\bodxsys.exe

    Filesize

    2.6MB

    MD5

    06510a26bee2ed170962571fccf9bffc

    SHA1

    acae196b6875532c9dde736a885cb4c252f9d6cf

    SHA256

    4e4fb896431ab770ebea75879259afdb506ec4acb58b5426e2ff1d4e2cd9a6d2

    SHA512

    c4c9cb21604fdf3b4917a463f2cab475b6fa5f2ee5a3d34aeee88c6fbd9584b372f6bda24cd69b9484c503c1996393d79f0b1f005dc6f91fe0eb7a6d3461e18d

  • C:\MintP7\bodxsys.exe

    Filesize

    2.6MB

    MD5

    646338675afa7f4f916cdd19f15e7ddf

    SHA1

    481738d4670f9a998e173e3dee5be78b50eed8af

    SHA256

    c8cb6a65fde8e9237185db6b793d9d4445649617cd227f5389789a2f6d22c572

    SHA512

    7bb8050808ba437a5ecc33cf54dc7cfe6c3502f71f6c56e8a8863acfddb0fce67d823bd915614310f64709dd00e1674906b2fdc3f2e575a647f9d54a4542f7da

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    4c903d255c80a955bcfd09767da75318

    SHA1

    48bcc10d56aaae2af16483d8e34bf5bb0ce813cc

    SHA256

    aa98593121332bba01772abc258832b83dd06988b28d147935ab9951b0ac9fec

    SHA512

    cf6f425ca957bf53151dfca2bb3b0c469e0806e7716f46a63c6c19e2db7f9948d82b8172d52c261645175cea1189b90287507a7314dfa3476d46eced34b0fa7e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    a60363e2819832539c98a6b384ce52ca

    SHA1

    e91dc1abc3dbff47635d91ee90be0fd63ca4f9fa

    SHA256

    43a56088484ccf4b1e810a0c71db22b447925fa634fd4b2d8bdc8210d8099cd1

    SHA512

    2c345eca41866dc4972f959b8a96f35cb7f96d78b5a14b9679079e4da99c99e0e6a87381cdc2e7ad6de818fca50506ac6a2a21af301569dfba400b27ba1b77e8

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    433da50c4114d276ebd94f86c1e34c02

    SHA1

    f2dd02ab08a1c7e45860dfe32a589e49498d0767

    SHA256

    cdb59dd2d708f3685e7f4c813da6c0d00f248885f48613c2e8e95f2311c1ed04

    SHA512

    04d9781eb779301970c27facb92740eba8d6fb49039520056800ba777b133a3d0160ee1c04a3251963b12236c02878bf796cb0e7d612d4e5efc381f128542ee5