Analysis

  • max time kernel
    120s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 21:57

General

  • Target

    a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe

  • Size

    2.6MB

  • MD5

    9ebc951d9f3d04ba4d47f1505fee8b90

  • SHA1

    e0a79e1dd7d32d225df7099fde992c04bfd4c97c

  • SHA256

    a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2d

  • SHA512

    802fef0c5e9258932e1d4e973edac26d60cfb1399c38593e15a2a484a6b75aa6d15c3a874762d805ea86e6ad7cb31e8141753b9bf053ad06596f5b67edf0b7e4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
    "C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2060
    • C:\IntelprocFT\xdobloc.exe
      C:\IntelprocFT\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1676

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocFT\xdobloc.exe

          Filesize

          2.6MB

          MD5

          730de6f3c43df5ce8b4e5f87faa3cec9

          SHA1

          76e7a53a073936a5bf252bc93521df8fa12a189b

          SHA256

          c96f597439ba77c0b88eab7848946ed2adfdc50f7257ca2e857e827c1c820322

          SHA512

          a173e50570a7db3c4771a124a1d2018ef7fa947f79d9cd1513c8e2d7b7ff89536915bc5d7124c24a19b6888846fcff80894cf5efcfe21f04156a0c6c90b05b15

        • C:\MintNC\bodaec.exe

          Filesize

          2.6MB

          MD5

          4340c5af6e8404038ab5805015895c05

          SHA1

          c00d24afad04cfd26e3dfd544f67e8e7ffd47759

          SHA256

          71c1adee2c548c270f834b22d949916130eb8485183d664458182d440a7157d0

          SHA512

          bdea9a4321ad8065e4d2306f28c85f62c362400987323d2a1b7db845b041f8ab252c72a73df0d7dff5f3c1bcc1661f51995b28f7d8ed0638636bcb9f5e1092dd

        • C:\MintNC\bodaec.exe

          Filesize

          1.2MB

          MD5

          1626f324fa76ed86c3814dcca605b817

          SHA1

          6ba221c51a418fecdf56b3277123fcc908e7593a

          SHA256

          d707cbac79a9ab9fa4e4101c71e673b5b4fb13276cc58cd2a7fabdb5994eecd3

          SHA512

          5979cde95fe4b98963df21a664dcd4ea7d1f3f44b353030b9a7d024d4710af23fa8cf7ee277fca027e2725aa603238d2f4fb552887d27727d824a991b7598f47

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          40878f1230354d0fd041f4f470710fe0

          SHA1

          11aa86d24de207762e1e586688f64e3cadc9d37f

          SHA256

          b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca

          SHA512

          45007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          701dbf1ecd0054eedb47cd021b9cc453

          SHA1

          162423eab564bbff4240251d14f2f0b698529519

          SHA256

          7b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578

          SHA512

          17f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          5b82cc106f7bd815d82e2bc95ef2144e

          SHA1

          9daec5d99925f8bc63d4c13804889799be30af0b

          SHA256

          2289ec1d42300b48baa80c9bfe1becd2baba7339ee930681f29079af79ab4663

          SHA512

          f08912b9b194f9b212d4698ef5163d36c958e0f7a05ff94d0845d8292f3e0a11705d724bab6f3f70d190497689265055a9e4ce5cb9efb8375629017d3c4d233c