Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:11

General

  • Target

    ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe

  • Size

    2.6MB

  • MD5

    e2c915908dc344b7f41f097704185160

  • SHA1

    3302b95b46ed698840f8a7900f470e6a372cc399

  • SHA256

    ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6

  • SHA512

    35c58c22505af10c0197bda4782d062eb2a4188595b2fef1fbe08050667e625c144526f19ea3176ed819e8b85ab4421c5da6dea877dca137f839311a58701ee9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUp0b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:916
    • C:\Intelproc0C\abodec.exe
      C:\Intelproc0C\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc0C\abodec.exe

          Filesize

          12KB

          MD5

          5ce46de9d1c8ab23eeb8a98bb0b2232e

          SHA1

          eb2b026ffaf5a7802065fa5971c5c4495fa6763a

          SHA256

          0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

          SHA512

          173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

        • C:\Intelproc0C\abodec.exe

          Filesize

          2.6MB

          MD5

          9606761c172809659a6fab791bf9c2c7

          SHA1

          6fcc04080b049fdd3d41f5f8899ed283c0afbd11

          SHA256

          27b9214cb8f6f54b2cceb5a747ff3b00666266bc66d61e818ac5bfd804079355

          SHA512

          5b42cb9ba96ea16441fed47f86e4e6243d2393e1562c11d5fdbd7863a71da020987388f4f7c0b121eac595458d05f3efcd542544880a77830bb5dbeaa5f7de37

        • C:\MintFJ\optidevloc.exe

          Filesize

          4KB

          MD5

          34bd8ff991b1427aa83cc59b77d0487f

          SHA1

          1775fb0e77f2b1b201917c49e409123372df9167

          SHA256

          8403bbb0bac4da664de516bbb70dba1484985a13d35a0b02c2b798b94ccd1eec

          SHA512

          5ad1d34933d6a9cead5a8c6dade3c65e64d2de098018614533d08a57b36f862dedf6faf5cdbf1678c96c8a779ddd2da5af6f25798fda1194686676872e35721e

        • C:\MintFJ\optidevloc.exe

          Filesize

          2.6MB

          MD5

          5488bf8d623322cded444947d41bea06

          SHA1

          06e50fb2d904d2e8c2664c8e66a6862cfaadebdf

          SHA256

          4a3f4d8b5e3f35305afd9d8d7939578366143f36087fd791dff20d7880011262

          SHA512

          d7d8510a992624c2dba3241db74dd32d5a051adfb5af5efdc94fc8b8ca64640cd275e029759edb802a8a9df227cd46b2bf54dd87956f77572287470bde8862dd

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          bfbb71807b5bad38b008c7ebb86a71b6

          SHA1

          32f34ba35eb9080094844aa25711a1e9ff5b3fac

          SHA256

          14060741eb5c18868a90e178fcfb3b5786dd458c8f7f03663b5445872a8fc80e

          SHA512

          599c2592f5b47c6c2dee40228c67506b0d1df9879cd65e7e35d5a20e4a3a8a81861fcf3668130bd0aa2b83ad4bd2f647c03922a9302968aad0afed0fa4bc00af

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          39713eacbc2efe14b982ea95702aac13

          SHA1

          b0a2aa2abe2f00b9613c28e857359586d835b8da

          SHA256

          57d91939662c0feba409b5a61e5e24058410b8acb53cc928b6e6a90f2fd536d4

          SHA512

          22ff16f2c4212742f7019f1f80adc49e06c727fea730f615bf26a6aa706f998500cea9d2acb25e85c2d1efac0fa6193b7b8c8746d2c1f2f326be6fbc23e580df

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

          Filesize

          2.6MB

          MD5

          c0232624eccf5a0bc36028ce53bb47fb

          SHA1

          9ad8d80ab3a70f0359f111cffec9d9de96a366ae

          SHA256

          1bad22a0db0e2e8bb1534ba397cfb7d34ceb047c6ae182b4ebb4607fccd30386

          SHA512

          a9e6b836665f04d759311df6708b5978c6b8ca366c9d3cf739c66266317b4ac9de35c84824fa465ec27a4fc593af3982bf83aff33d52e96e31f79eebe65a69b7