Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:00

General

  • Target

    1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe

  • Size

    2.6MB

  • MD5

    0ac1a0efc1023e6cecc0c6c6dde40980

  • SHA1

    a0ad2ae3a452ad35b8ddf2708260cb0af99da89f

  • SHA256

    1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ec

  • SHA512

    c918a55040ff23b428814f621d774d3698c2cb2e66922bb7f79f7744d3c60717dd69e260189a48dade85b7dcbdf2ee1ce164baf0da96b82296573d72238e9cc5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSq:sxX7QnxrloE5dpUpWbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe
    "C:\Users\Admin\AppData\Local\Temp\1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1476
    • C:\UserDotT9\xbodloc.exe
      C:\UserDotT9\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4200

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBCB\bodxloc.exe

          Filesize

          128KB

          MD5

          6d8f5cf2091a9ee93796b28b998e1367

          SHA1

          9fda8243ddc4d1f4d983e8ab348597438510a6bf

          SHA256

          fae0864da018624feabec4a286288748e27804e7d27a052dfcd00640b6b86732

          SHA512

          3bd627b9e1cc485e787f39bd16c101aa74889cc29a55d32c3b1361be4394ec3def2ee8f713f44a10ba27d8624b185752173e826a30a88af702019c8918d098db

        • C:\KaVBCB\bodxloc.exe

          Filesize

          2.6MB

          MD5

          99d9a0d16f5b460cfa632d4ad78fe001

          SHA1

          bbe3aee9180a3a843f50e1d84d490e7a9eace0c2

          SHA256

          ce06cd757c86c26a8900b6fd892429c96e2272a4c8a45131b13ad85905202bcd

          SHA512

          7cc8ae63b0d3a8a640297307e087f4a6a569aef0669e7d062d4fe7a21966ba3b2a823d8b027c5a01084a93c14ff03889de6c57ee252b81a1ca1d3b75e95b31e9

        • C:\UserDotT9\xbodloc.exe

          Filesize

          2.6MB

          MD5

          2d5775b3d35087ec03d0847e347f9cd6

          SHA1

          42f35f91acec84f8826511dd186f791e1427aea1

          SHA256

          e36c677706615e01535fc20e7bf357ad624c6ff3942db9a859bb63fbf3c2032d

          SHA512

          40375e71b573bd6cdd25fb21dd42265c7d7f9817282693bfbe2252ee0e013f474dea2a012a4f9de1a426dbf96c6146dd5d7b751cd6d9f13a736af33a1f002c86

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          17ffdb9427f30c7d109fd7b83291e749

          SHA1

          3684fcfba4ec06f7caf71ad609f8220348d4dedb

          SHA256

          b3d88870ce1ce53100a1b5a94697b2ec8c85fed268ce341321729b28814c0e94

          SHA512

          0da9962b9493b37cfbd37d051919a98223c7325a57fcbe891b0ffb16e670ae7a2278eac75bba7bb28667cae9022e7651b0dfa914c5a590315f23485b9432c293

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          16e0b0ff87242930a6da6c3ecd52a17a

          SHA1

          9306c4aa8966ed93f30f7be7dca8f07e982525e7

          SHA256

          009b0818b04a40c48214ddfc7cedfe6ddee8c939bae262fc5a46113161e4ed5a

          SHA512

          d50d3375e85de7a0a3bc2b82eb82f9a4e62e7b8e687312a6d5044e71ff253eac5f00ef366c96c0c78275cbd07a9f199e36a3ec19569333b5ab281d7e156d814f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          8a1e51c3a21e972b822271edb0274ede

          SHA1

          273cf591897c2e5486febc8741cba38bea9af704

          SHA256

          d2356b1a8e40ed286547ea575c9df01c343bd9b653e03eadd0e7b27d8b450a99

          SHA512

          26d28a7004cb9a2c95aa743d3c022753759023504dacfef312118a95b5ec49d21eb750761e563daca53dd3b314521dca6686b4e11183469456d51d03610e5f09