Analysis

  • max time kernel
    120s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:22

General

  • Target

    6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe

  • Size

    2.6MB

  • MD5

    256d5026cc9fcdb7faec3059941eb7d0

  • SHA1

    79970f805838ba37ed283fd3c7245f5020dd76ba

  • SHA256

    6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ff

  • SHA512

    3ed790fc1f6dcbcb2daa2da6800f56fa77284a8a31429d7487b8c3a0ba8c4e8844b549b9dfe67d760619c9b65920c8b55f00679a4762429e4a5d2d0ff10f7e81

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1996
    • C:\UserDotJ6\devoptiec.exe
      C:\UserDotJ6\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintT0\bodxsys.exe

    Filesize

    186KB

    MD5

    e1497a96257006caa28d9c50361ca0e9

    SHA1

    c6a9707192a47a7b8dc5e3daaba59fde6d853689

    SHA256

    e864959d0aac81ac1a02f0a0749d0cfd71b8e006a6789819f72c649aac78ed48

    SHA512

    893c8a4e110b9cb3efc35368f90b57e7ee2b9dd7f132d787dcd3ca537bd6d794b545606eb662142e26aa7211cf94614611da746c2797fcd90ff2ea5bd6aaf177

  • C:\MintT0\bodxsys.exe

    Filesize

    2.6MB

    MD5

    196a3addf52a73e1a2eb99adc0ed2163

    SHA1

    0d5bf224e5db9029151778760116ef351510362d

    SHA256

    faf53b27747c764b966ca9ebf81208f8711ee4d5436266bc066520369a3c7136

    SHA512

    350670b16037df5f9b8d20264a366aef1a78142ba254435ffbe764b55ec0028ec90443864205bd2a1f7ad33c4cad87a590aa3530185b4024ab29f59a0c480854

  • C:\UserDotJ6\devoptiec.exe

    Filesize

    588KB

    MD5

    0b3f97bd1d3f58c8cbd4c18840bdd73e

    SHA1

    2c4350cfe89924b1b93ea6302f0f7c01bdd6c56c

    SHA256

    414af5c0b280a502f70ca3452029069161b1e06ab191d6e6960a42e1f0f8a4dd

    SHA512

    2974e4f10224f839f6fd052313cda4ca47067c3d6990205117d9ffc0344f0f4585770d37cecea5c4dd6106416d3d72a97726587bc28b005d6b7f75443027f0eb

  • C:\UserDotJ6\devoptiec.exe

    Filesize

    2.6MB

    MD5

    dc0e6f1a84e2c7c12fc716eb9030c8a4

    SHA1

    5cc2206705d7eb613729e5ed6c3b7bd495c0cd12

    SHA256

    aa99df64c13a406fd8f01cdae452d3d12cb76d3821a3eff01a060e3b15944ed2

    SHA512

    a99f148a285cd6b572310eb4141917b615dd57f4dcc1e56f9942ae75b8c2ffdae860267fae9a877a4a94dbf16ce29dc0017ca95ab3456c6ffa8eb468114c7e21

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    17d9436f564aef253fe8e831a9156832

    SHA1

    a67299de03e0842cb77aefdab20bb5f8a91c76e4

    SHA256

    c5770df1d673d3d36977ad36d345b7a56ae26efd6b08221a154041adb6cc4fa4

    SHA512

    a0e9705af92c518a9e3885167e90c46b7da6ec33738ad445b72f76a5965844fb52aede2f19f019f42353d21db34b35ad2fd1b9965c7b655187b4b708484ee363

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    4f74f283b716bd69e7d3d29dfc64fd48

    SHA1

    0e9ab656bdeb3894615c9f60f3d5d0a59f421ca3

    SHA256

    b9d266740c7d3b5c6d39e6187ca6609fecb5b1f0b0b056c28ae5df5ae24d8c66

    SHA512

    26aac9e3df045904daa4ae590f4500d45784b73478a4e2ddb32c954aa00a7d1590488a03ee9926da0c9b922d291dc19a1c9d08f0fcae0eac4a7326b682cb509c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    851e07c78a7ce4502537a9d70d5589b1

    SHA1

    adaf3d3b146cbe9c70a0057ff4d6bdd16e115d72

    SHA256

    aa0ab3109739c9ddb325195ac92800aa72e8c0a236b1904094db3b656d257901

    SHA512

    ef7c12a1c7dcf69ec11d5fc19167672d4ac5667ffa7a32254e7e86947c03a131daf3c672b051c2d44d5cdcbbaaeefb255c347b07d6737218e9102385fe6f2d2b