Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 00:00

General

  • Target

    75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe

  • Size

    2.6MB

  • MD5

    a3596b0537ebd98b9da4548ee290f590

  • SHA1

    1e66d8cc4d99eafdae32f3544389cffda2bb2071

  • SHA256

    75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468

  • SHA512

    712dad09e851fcc2e52c75989182f2d5c5a74f65278b50bdc7c34f3c8bb53052ba8c1cdbc049d81e08e9205f98e5c00ab4b11444a982297aae3ab4dd4d0c8b66

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSq:sxX7QnxrloE5dpUpYbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
    "C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3196
    • C:\IntelprocC4\devbodloc.exe
      C:\IntelprocC4\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3688

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocC4\devbodloc.exe

          Filesize

          2.6MB

          MD5

          e949aac111dcd395eec4a142f3332bb1

          SHA1

          e1d24508516d15627032074e860410ce92a12b4a

          SHA256

          06d25477ced35acd1d2bb7455028e22fa3022dbf444bf58c9f08a5874733ac88

          SHA512

          0a2dc02137e6950a044e77acb3343123695cd64bf6fdda11b8e5884a32b908bfd504199e24aa737294e4c4c716e08077cafe4a55b4966b1c33878a1b4dd4b84c

        • C:\LabZLF\optixloc.exe

          Filesize

          2.6MB

          MD5

          30d86b2f18ca72d7970aa818a2bfab37

          SHA1

          a3ed21409a67479a9d3e25c9b90fd92a928c652b

          SHA256

          5bdaff641f6449a6143984dd990c728d06e832295e70dd9b3ee709e920640aa9

          SHA512

          cecd24b346737a1cc95a4410f525200e5c5afd34f2c6d888ad18e9220edce62f2b74996574d8c2dd21ef83a349cd4263187a779976de5c8e2ebe1c30a27119dc

        • C:\LabZLF\optixloc.exe

          Filesize

          2.6MB

          MD5

          386c67999881567c208e295421e5e1d6

          SHA1

          06e502c41a69f5d36593f5860e791b434fd027f2

          SHA256

          0a65a23ea064fc5399cac8151da22b013cd2bbcd766e119042d0f02cdc7dbbf8

          SHA512

          8003bdc79042f0f95051c4bf55a5c8c651822d80f31083f4f3857f8e39aa28845d1ba73c051650248e4744fd5e54c1d11c4880dcb8b56236ef04c76035ee030c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          209B

          MD5

          98a6560369f2524829837f359bdb9dce

          SHA1

          970a25a3f94eef59a368d6e548e7c9edc2080d0b

          SHA256

          27edc74e9f274d3c9d121875559587e126c6be196c44251710014ae5dba50a89

          SHA512

          09c694fc468569c402ea11528ecdeaee672a6a76f5f7b668c725be87d0ba8e47dc498ba5be7af5e9a2e05abb0c9e5e965f80ebdc4de030794fe88a4c7ec499cd

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          177B

          MD5

          b86baf64a2f4d6dae072300ecc0a48c5

          SHA1

          0d3d2c42bd88180f830fce202ea54a81ab5cc7d5

          SHA256

          d6c06371c0e1afd014888effb8b64df787c6ea7616e6beeeca1e552646f89eb9

          SHA512

          c5201bc6a7933aad78b0108bfe6e4fce9b1ffbbe529232bec2961e4c8d8e77f3125979dd16eab046d3d6a439d63a6692a4d0dcb054ee2857e53b6b08ab03700c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          8ec5fbe4531477a2430367ff50b8ffb6

          SHA1

          812a942428116b4ac3a4502ccf949bf7ba04e547

          SHA256

          a56b36da9e2f53a8de00463a96f9617f413bdb521b38c6cd171990bed3e828b9

          SHA512

          6e837b4f82a6daabafc3dcdb4ad5d2b47ae827372773e681b2f034de18ea032d70c51529cc180c6b8ef0d7e6611c49cbf4fbaefe8881e5b4a22f1b59da5312c5