Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:04

General

  • Target

    4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe

  • Size

    2.6MB

  • MD5

    4a836cfb060f1f2d768f82f786eebb11

  • SHA1

    f845ec8ea795af33cadbf5d588935d296d088f8a

  • SHA256

    4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068

  • SHA512

    f49f79c5a8e3ff475824535b3405ff93cb6ab686502acf7896743ca8cb26e7bcfbec3f6f769e1c3db4cea36eca17c3f797f706c25cd1a519bd2f0caf5e0563c6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpybV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
    "C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4532
    • C:\IntelprocFT\xdobloc.exe
      C:\IntelprocFT\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocFT\xdobloc.exe

    Filesize

    2.6MB

    MD5

    43a9ff379e2059c3f8158a2015110341

    SHA1

    66434c35a5dfe8f0d61827d05d96519b7d4eeb1d

    SHA256

    5c6aa7b84ee01100214edab111886fa290c429b80f17bbc93404d860e1f281c8

    SHA512

    d4060775ff6175eaf8b69442399af9219f9949cb23185d8e767b66ee25e8cbf68e34ec268da9dca2114f9fae502b7835d46d824708f13b4b226ca924dc0abb0c

  • C:\MintNC\bodaec.exe

    Filesize

    1.2MB

    MD5

    bfc585b53c251bc54143bc3b7997c02d

    SHA1

    a3ed085fba1895419b27dd0ffc23140a7bb7dc44

    SHA256

    7d562016c25f92016c69e012609f0e64a52a7d884a45acbecd16e11aff0f7b72

    SHA512

    37a995eea7a7fa82a0089ef725cc1a7790e0a5356824ca115b148d27d800a466e51c783f5863558c58dd10b6dc1631f673357b0a4a8dcc62c4c05ccbb9decb56

  • C:\MintNC\bodaec.exe

    Filesize

    2.6MB

    MD5

    0040f3d98ea9a5547c37d0e61b2c7348

    SHA1

    93bf511b8d9006e3b4062cad086fff8646963303

    SHA256

    964a8efc97359944c4636cce27c9a8ecfc8b4ca7a2f623d5506fda5e7df15977

    SHA512

    ed41977cf0299a656f98c58ca69186b2ddd9c050ab064311ae433a75dc86e5a9e74021260b6628d9011634bbdce490dea0908071ab59936ae095f2bf2287d328

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    40878f1230354d0fd041f4f470710fe0

    SHA1

    11aa86d24de207762e1e586688f64e3cadc9d37f

    SHA256

    b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca

    SHA512

    45007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    701dbf1ecd0054eedb47cd021b9cc453

    SHA1

    162423eab564bbff4240251d14f2f0b698529519

    SHA256

    7b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578

    SHA512

    17f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    2.6MB

    MD5

    56690dd23a48c7a54907acf4f61c5dbd

    SHA1

    506e9c8752ae54212e6e93e8e24a6c87a80ff908

    SHA256

    b3207eea01dded1bc1f6b2a9d69ef50450eec4c381f8708c1cc335fd1fe96948

    SHA512

    1834782796d498fc14f55c51a1c1a3b46065f063fc12a11a66e8c6c220cb3a09d8d145f0ade317bab9d2a4b9d9ff1bdcfbdcd8a4923a1de2b0c3f32e50ef1aa2