Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 12:22

General

  • Target

    82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe

  • Size

    2.6MB

  • MD5

    6bb5890855484aa5c398f0f8625cd5e0

  • SHA1

    b319933107d13c293fe93ebd287d73d87c5c0f26

  • SHA256

    82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5

  • SHA512

    3d3be118d611863225e7f6ef424c24fbd8b43b4f716fb5d28b24597c537a3bea4f8f606750d3d7d53789646c6485b4e9e65a791eb5d6c566f9d1561d270c3c9f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSq:sxX7QnxrloE5dpUpBbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
    "C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4224
    • C:\SysDrvY5\xbodsys.exe
      C:\SysDrvY5\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:8

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBGG\bodxec.exe

          Filesize

          472KB

          MD5

          2b6b5c9a118fdc1e2b983510b101d9d0

          SHA1

          a8158f4a3935a92c601e4a76d466572a251fa8ad

          SHA256

          d4df447dc0d4417943fabdabe0d99eece1627ac88cf2e3ac452abdaa1adea78c

          SHA512

          030d3b9215de49d9f6698a1a8e82ff0a6cc10dba81323eee1198b8b1fce22b12b1417297ed34bfebbf96763a2618323680fbdac5e3b3ca9a93b0a840cfb74f6f

        • C:\KaVBGG\bodxec.exe

          Filesize

          818KB

          MD5

          8f43358efab98b34e760ee94c7f9fbc3

          SHA1

          3274cb9f216b7efbd4eb55d16d90242098caf7f5

          SHA256

          111548dd47523ebdb0d2a3f5cb162945ee7f74342eeaafc462835c03ef21f264

          SHA512

          f6b47b4ecc572c905570b75cfd2810f730cb86b8fab99721bc49860413d8628662123114b94eb3caf16ec0117d1632a3772051f3deeae103d43443f45bc1b202

        • C:\SysDrvY5\xbodsys.exe

          Filesize

          2.6MB

          MD5

          e1b028b63bb71e547f5c524ae705b316

          SHA1

          429d40b18513c7dff79badeadf32b0867186d669

          SHA256

          028c0b749eff4c601bde013aefc25474e5ae5816ef34ea8d2bdca25aaa7614b0

          SHA512

          b2bd8b686be3f02fc0446d3ee4c8c2d048b7d710016fe44985638e6b2437baa1666cdf6ff4e26f322cc19377f921a2f84410b6642262abf78a5f72dfa7b2663c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          043d6fd56c6f1e02144c7a4ea7b78961

          SHA1

          b282a846a4ae248fa7c9911d954b98ef3d9142cc

          SHA256

          21881750b2d2ab10dd5e8d09e1e3f1b026d9faff7a2dd4ea19a81c976207538e

          SHA512

          9f116deea57968ef5890b7df3485e23fe9fc100425d705a5fb9f965c7344241814a30f5d5d6b6ccf7c6450382291800b07bfc6059376f80efe19f85460a2f96b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          233980f2de43dd8fc771e23a9b967f73

          SHA1

          e6a3f4a75f00d500165e119a256cc451566809ce

          SHA256

          4f04206d889ec4458e6577e1ac18a3c16bad14594099525043490a04b160f8e9

          SHA512

          b9cb5583fe0835ecac36bae827ccf5a3e9aff6c503199703495a0e062f93fdffa60742c6b7a344b766d844faee151529b0da8b2cedb6ff2bbaf96173f8914c6d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

          Filesize

          2.6MB

          MD5

          58e22bc63a44999c3c68c55967823c17

          SHA1

          45c787966890109b89ba061d3a4caf8f8ad2a038

          SHA256

          25bd7fa108b10b183e9cec9bd330921766a04c28faf80f28f5d7f2147f2028c1

          SHA512

          87ed983b81faf5a6eb3e068e7ea1bf99619f4d5bd278bac06641a3d8173e154abb5c202f54cb569020ce62770e06dcc7171775645e87111630346da7c104f93e