Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 21:57

General

  • Target

    76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe

  • Size

    2.6MB

  • MD5

    660de9f89377146f2f21666c17297fe0

  • SHA1

    cf87b3f5cc616c2a52bd03eb7428b89305590fc2

  • SHA256

    76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159

  • SHA512

    0508fd373c7ed3992a1d133c703b7b8ad2e14a936aff7cd8a9035ed4cbb935d5cc657176d332f20b1ad24f40b3d7c9cf84ef181fa5a75ad8354f7a0c53a531f9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUp8bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
    "C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2464
    • C:\FilesD5\adobsys.exe
      C:\FilesD5\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesD5\adobsys.exe

    Filesize

    692KB

    MD5

    60bb9675ac0dd36387be153b3eb502c6

    SHA1

    375df1d4f237f7bf6d13fe97963003f39f0b758e

    SHA256

    1ccb27cf9fdccd60dbd37dc35bc768eb4b97665cd9783dd9ed0934a0608c995b

    SHA512

    12c2fa37d5ab11b35e590bd3f5693ede6e306ec9518bf9b6215a68ea5d2df47e990242fe9e749b961575e27af7ea63653678d1f9eceb3c889f4e84a00f0f66b9

  • C:\KaVBYP\bodaloc.exe

    Filesize

    2.6MB

    MD5

    bd9c23f29393cf7db89f5fc9f63b9c9c

    SHA1

    d11ec3c3cd3080b806298c727638c3c72e7e002e

    SHA256

    887579393c0badeaecb753afd0480ae55e987686775d3d13707c102a873f4920

    SHA512

    8a1a358d5f1842e32b31796bba954fc425dd518f1de1a2c0cb4cf5a64985aea31c5a14d3f0a2e6cebd973ef441470bfa6e064b0654c51216994f2ce5d9d20443

  • C:\KaVBYP\bodaloc.exe

    Filesize

    45KB

    MD5

    74ed8e02892e5dc25b8e4e3440a4caa8

    SHA1

    c95a257bed3343fe4ec8d6fba752a902a80debdb

    SHA256

    409823c6a46e08c8c7f48e5fb99333e36b14d168688c1d4857a753f9c447bc61

    SHA512

    9a0e9f4304e7b390ba918570d20e4ddb9f4b411a3f8536243e378386c8a25cb327c7549365bfa796dce30a4780293f05a6c42daa0535ea006d879e31179ca983

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    0c33bf4695536a332d8bb0e7ea482119

    SHA1

    36b113f97d99e26f2d361507651b97d63accc71a

    SHA256

    eb41648383cd298c5bd15a2f2946a530362f37833adb93c7adfe2bc1924f3a0a

    SHA512

    fcc6d638c3b51d14254fa5be9ce39a3a14ab853c27be10f28a1c3f6a5989dbc551f10d72c76d80be04702bbc1d2bf21184af3c7cf35f9dd2210d166fbed64ddb

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    ced71dac7850c0b494e9fa05d8b53e25

    SHA1

    f1923f06f133b691e099f8481ed891b1d215968c

    SHA256

    3bc94a4872afcaa36f3304e1fafc4859d94be65639a21791c51d2eca0b915e89

    SHA512

    50e799b22ca6cbf97a723afb1a3f3a9622f20b35e3f5d2a9cec453d760480321b8dcdbeee6f9e4f165bbd87c204d71970e9ef1d776348135d06d3ddc7d37bbe1

  • \FilesD5\adobsys.exe

    Filesize

    2.6MB

    MD5

    2331ccc8dad5973f8ea5e3b44358c46d

    SHA1

    20566f438979f22ef751e8156130b8fa5f58352a

    SHA256

    908626a5180125ba283028646e87a41b7c4d65c14a1ca3eb383f87551e3e9128

    SHA512

    38411b0a23e558225bfcd8edeae601e803a7ae1ee05b2384fcd5426b049b8e22c570c66a05b5ab587659d477a93385849c4d3b51c790c627e5599c97521d84c5

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    2.6MB

    MD5

    626b8830c21b1a476b996879594cdfb9

    SHA1

    5ffe7aef476d586f2a8e44b0fcc60ff42f14b52f

    SHA256

    75a033111227befe323896190ba490361304560d7c715b43e613c30fcfc067f1

    SHA512

    7955e888b82534ec2985bd471e489b3da5e271e66ba84410cd76793614d5f559399a19dd997bc128f42fa75555d28772291dcff0399847f7071fec2246c7e3bb