Analysis

  • max time kernel
    120s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 21:19

General

  • Target

    e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe

  • Size

    2.6MB

  • MD5

    3d3ea83b2b8f6d254c654505521506b0

  • SHA1

    a4480aae27dfb526384eb179b3896e6d2fada447

  • SHA256

    e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276e

  • SHA512

    639eeee85e8d6884a1d383f7808702b9d957b71e7914a2fbd3e976b30b61dec755adfde21505b030f53365aabcb1312d761f5ac3a26ed527dc2d6c917275a881

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUptb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe
    "C:\Users\Admin\AppData\Local\Temp\e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3160
    • C:\SysDrvIF\xbodloc.exe
      C:\SysDrvIF\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvIF\xbodloc.exe

    Filesize

    2.6MB

    MD5

    576ef3a9e8cd8716a2cedaa9cf1d6b67

    SHA1

    a0936459aba43cbdd7b505ddb40ceb7de397b6d8

    SHA256

    2d1a5c269342c32a22489d3dc974186d752594115eb79c50e6125c0c4cf90e5e

    SHA512

    c8c2cb616e3aead71f01e76cf431c35515e99e76b110063b10d67f6a8c84a820cd629ee9d502b790710e34504f1caaadb6a0797d92c4c19845e830f09c0a00f9

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    7cee29388ba0d0de65f3d14e7d2bbd5d

    SHA1

    a870404eebe93d7dc944d93ddac4c42ad10b3adc

    SHA256

    32af582136688e66af7dc6272e71e99cbc9f3a0be13abb4c82e7a7f28619d019

    SHA512

    dcf4c99beba76b35d79be60b939956e6ff6ffe42ac6a3e51ad0e06a4c3484a947a8e7baf9dcde1c68735a4f553579ad35a55f982cc2e216d0fa2b239d23a0733

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    4aef080a70ed79f33c03f5617e0da61f

    SHA1

    3a0403d246de1f1ee60c08df5731679c62e78b21

    SHA256

    1e8383c00a5384d18d989218c441e6f9c4db6f3b91392d98fedf697dd32a52b2

    SHA512

    416708497847b1a18bebe7df1615ac870833091261df3be3aea41be7394c06e4a0311e414bf904cc7f589f48134eb256845bccab74607b5c43a6848e82e5affd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    faa8721dd03581d270e2aaac555e2580

    SHA1

    76fcc9623d8b495176718f50a95dc62d36525116

    SHA256

    d7e3f33a2f6fa4e65a199e49b79273afec67ce32ba8a8b26c7bf64c1f7627eb5

    SHA512

    90061eddcd7d3685d3ac7867178cbf91829089695be73feeb9947631b5052b419eabb6f080fce3b0b5ff56cf49a7f1f0d3cc3a976ce5f2e23976c33169146019

  • C:\VidZ1\bodxloc.exe

    Filesize

    1.8MB

    MD5

    81c2db7655bb61d8128f7d54f9af69df

    SHA1

    617e0ec2bdda81d7e6318ca99bb930a4bba478fa

    SHA256

    728c48d8f2543ea2820d9f2ea78745c84c1c8898104b3a5d80b54583882aedbc

    SHA512

    ef9ef4493cae656fd28c2f18fb2a02b02021378d8fea87e8bfb5285dadd75485d1f0bd2be7aa151a9294e8106b2d24814e1bbaeb2f6353d71d95464e4acbfdf9

  • C:\VidZ1\bodxloc.exe

    Filesize

    7KB

    MD5

    20ec6effd447fb35f7db816f8c616148

    SHA1

    c8c9edd9f30b93dc161fc035c69b57e7af305dce

    SHA256

    43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

    SHA512

    6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf