Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 00:06

General

  • Target

    2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe

  • Size

    2.6MB

  • MD5

    c21ee1eebb8a3a74eebfe5f4f5a6e590

  • SHA1

    7589d40f762bdc6857fc5b9830a5e803c9329173

  • SHA256

    2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898e

  • SHA512

    89377f2e304218854729ce9bba13fab4a892fd6b18f65c5b13d5c8abcfe449058bf320056ba3bc773b2da562331b0a40bbef54a5f58b02741868cdb295c3afc0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
    "C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1624
    • C:\AdobeM4\devbodec.exe
      C:\AdobeM4\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3048

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeM4\devbodec.exe

          Filesize

          2.6MB

          MD5

          a203f730d039f868127b217f5125ce0c

          SHA1

          d6610dcb497afe1129443627084919b25442c19f

          SHA256

          1eff88926d2539d816dc99df45ca7b2071c5df39e68e28ad5bfafe14042db3d1

          SHA512

          fba99c25948df33d0821960318a9c90150003c3c32a2b63aa866f5bbfe9af7c9dab5754b1d6413b8532f643cea16c173fce4091f8ef57d8dd1a2b1976627d106

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          4ef9de9c3dc5025e5854a8312f408e14

          SHA1

          238d182336d62a2175703b0238b8c8f4ec6b9c35

          SHA256

          33d4486004bbb28bf64123efe490b7144a28334b0f0d530030d995ad67a052a2

          SHA512

          777164dc9821d89e6ce04301713a286264687071b9e841d27d8914fa0f411f1676d394d5eec7f057986fc0ceff29b88e99da0831b2ceced4a71e75415cc5c2ad

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          8d91e13bbc17005003df7d2eef8b8241

          SHA1

          b6aa947735391a18e7991f28b061a76a9f0fd927

          SHA256

          577d44eaba63691b5a33b63a754c95a1528b2cd5292543f8677800d541769c0d

          SHA512

          e1db7fdb7e351bd22fd5ac9282f195387dbe0dc6a04aee7e65f0586f5b5dfaf6ab2b7dffa4f05bd2dd0eea22ae338144ceb9f2a537613f9e8f632b8799039b34

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          3e9633299a846c444a3c93961ef6e60b

          SHA1

          266f6eda79eb7cf64f491faff24fb524c9f4a3ab

          SHA256

          55f47b6d443c3f515a948c3981750e7af5d121e3dcf12876ffea73b9376ba5a4

          SHA512

          f062206f23f8001144f020ef26c7c1e750ae40904031ca0b13f7a27b9316660b74d35b58a536845ac92c42ea75009a4b6f42c2ae68f051ce224d1a408e0a9b1e

        • C:\VidUN\bodxsys.exe

          Filesize

          2.6MB

          MD5

          b2454d2d5c9713710e0b625fe6ec2f9e

          SHA1

          74fccc3577e18d90473c384d570b42d2c151bc9e

          SHA256

          e7583a13ea1e31d7822215e924ec5688229f16855283ec984816f26e879cc81b

          SHA512

          995dcd5b712a20d83066ab57f9a92ab6775954f008e6d93f80a46b5aa5e394eeadfc2497e35a5f30b7db821b5fc4639113acaf0c7ef8141d51f8c5ef1758d7d7

        • C:\VidUN\bodxsys.exe

          Filesize

          2.6MB

          MD5

          50e9abe8b096be1f9e9b04c31845f87e

          SHA1

          36407aadfcdc7aa153f7f28664f615277ef3a126

          SHA256

          a4953762eeb2cd6c423b609f0fa1a46983bfa594cc8ce2236244988bdeba268e

          SHA512

          e1feaca30201b210e8347a0afb4c958f96b5affdc6712e3fefea6ff77974eeb5698c024c22742981ebda400439fa8bd66270787fa71342ba5a6716dec194b868