Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:23

General

  • Target

    1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe

  • Size

    2.6MB

  • MD5

    c0f890c9b99201af39fd56f688b7d8e0

  • SHA1

    6ca6f2ad3d375789f061c2f78aead750025bb599

  • SHA256

    1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5

  • SHA512

    27e12397a0946219f60256774774a5aab5309935a717439a6a1eae1b6c68a1ac4272178cda5d8548298fa0cc22e58adefb36ffa78d58a1f318d0d9d17f697c3c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSq:sxX7QnxrloE5dpUpBbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
    "C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5020
    • C:\UserDotB5\xdobec.exe
      C:\UserDotB5\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2700

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ4W\bodaloc.exe

          Filesize

          2.6MB

          MD5

          0df908c3f34fbe60c1fe418a7842f0d6

          SHA1

          9e06bf1856e2a22d23bc18f23ea136707a3ee04a

          SHA256

          63eaa615fe2ea566029633e313e69d4feb59dadd21f62e803a01b7c9a7a522a2

          SHA512

          6bcccb26eda145143e3f67a45f3ab0a43734096044f513353427e5d8e861c444e809c533ae95c3b1850f74d3cc31ab1dd0efbdeaaeb7172059a177b33f5f421a

        • C:\LabZ4W\bodaloc.exe

          Filesize

          1.8MB

          MD5

          ce71db63a4047ef756d5c7390422c1a6

          SHA1

          c31aab720f97e086fd1e8d7538cb486e86f9cf40

          SHA256

          3c6a9e7a7b7b05a44d0a83f80d525aa0a12df149d1eddc9d9e776a841b3dec90

          SHA512

          3afc0ac85c5881f27778fba1156b047b06a16f1f334f1d24c53efbe42b66b416588f3aa6b4ffba1a97c51d5b384dc41070d0546dbbfb5aa7a9812111c49e1ca8

        • C:\UserDotB5\xdobec.exe

          Filesize

          33KB

          MD5

          0bff6a8bffb6b865fbe4908d666b07ee

          SHA1

          5e176ff62c86ebbdaab5e545079308f50395f3f6

          SHA256

          1eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855

          SHA512

          6a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e

        • C:\UserDotB5\xdobec.exe

          Filesize

          2.6MB

          MD5

          1773562780076bc0357f512c14a1bccd

          SHA1

          c19a79776bfc220c44b3577fe3594b5ea7e48ac6

          SHA256

          d58f8e820f627b9e38d5ba12c64762809f9751da31e545824f53336fde4fe933

          SHA512

          ef7acc9f815c8b57128c2f01b5edc0d77e8cd20568dc7392f1dbb19f9f90a7ac3d9950e0233b508c1caa6faeb391c3ba6c141336fa0944ecea7f2fd68133f3cb

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          e096f89193d31f2f5daea4549f7da64d

          SHA1

          6d8002acfd71dc968921c32b7b48fe832b43a832

          SHA256

          877bdeac6e06a0043c0e0a808a2d25069287f546dce1fb782b93480e25bc6141

          SHA512

          98a9a2c7126d4303444e8d82a6a67b23e7607e116e73281f518c1d5d8a3cfbb0796037f8718e70b7559c8261b35d27939d86ed278e466b1bd2df208d31eb2b04

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          8dd51ed7c0fd42f6ba68db74bb1f8af9

          SHA1

          1339bd2ff1b739b0e136f55201fcb05ae032d8e3

          SHA256

          8f2896a479a10e9a773b7857d8a38880a82a73fdf0719b458ab3208bfec51924

          SHA512

          b4c04af7d2527780af0a5397d0a8772e4488bbf02fb4e88fe4c1c42dad391dc1839e4c67a021519cb98754d8a467112049f061a3aa6b1f992a4d6e3066eceb53

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

          Filesize

          2.6MB

          MD5

          1e3547ecb2ca2b4c5c17873d41d67446

          SHA1

          d98d1a1fcfb5e09e3d1351866b5577eb94e6d6e4

          SHA256

          6525b4331b390cbdfecc329ce55aaf6009ac0e8eaf7202c76e3e80dd085ab73e

          SHA512

          9fa15d36ce33b81a01615415965a7741936f3fbe5c1f5544b6eef2fe1327bdb02c29f5ee7ed5eddf61e49b008b670e2d5278c66def078fb9cdcf9acb1c646bed