Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 19:27

General

  • Target

    09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe

  • Size

    2.6MB

  • MD5

    f275dc4fd58a355191f68c8f70d280e2

  • SHA1

    3e915e33e978db0d5b8597f60b1b845ecdadcf88

  • SHA256

    09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc

  • SHA512

    0fc2b4f95577f4970622cf397c9302e2f59f03a8fc98a86129516b41d67c535857a5ace0082c5aa844dcb2bf50f934d9d61f8f3b514e961fd51cb5c76c87a57d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpIbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
    "C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2120
    • C:\UserDotE2\adobsys.exe
      C:\UserDotE2\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5048

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZLT\bodxsys.exe

          Filesize

          2.6MB

          MD5

          ec3143025916fc8ad37c9e673ad7fc61

          SHA1

          dd35affaeae1fe228649d00c09fc25256e978078

          SHA256

          99dd6274207e9e7059323ef0d2aab2353290728c378eb9caf1ff8ab792a13972

          SHA512

          d4740d81373cbfdcea9b49abce3b9b0ba71e5e741e3783d47773e7ab42675e52e9022ecea21d8352d7764b05316bf4844448d4119eaf6e506211a8e14dda03b3

        • C:\LabZLT\bodxsys.exe

          Filesize

          18KB

          MD5

          7b3af07912640805489e8c5cf4d13cdd

          SHA1

          ebbf740092a005c3977c248e866e368bd740fabe

          SHA256

          796cd64f663a3cf7a7152674d09a6e15ce855b7bcc484e09032d93e380273de8

          SHA512

          f38bc3460dcba201e04314f8585733c0305f097921a1c45a98e6211fcaa629f95a25f4bb5248e9228ee4cfb91a86eb34bb42b10cb8f1733aa492b0f8ec1da96d

        • C:\UserDotE2\adobsys.exe

          Filesize

          2.6MB

          MD5

          d0fe65c282ef3f766a00c468798f5446

          SHA1

          001eb1af754fc73fe4c0cad3199d7b6b762c26e7

          SHA256

          a8edc7f142fdc17bfb7b403cff7f211ba71fcc7c063815e4860b5b43a90365bb

          SHA512

          2d621e86047e6e705660b5afcc24adca02cef834d7a2532c56975863434f09ee6433026e49a169061dd2d3168d5783aee9e04755893605a91b6775223c5984ff

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          ce0c498349d8df71f6531ed484efa923

          SHA1

          bd74867684c8b1e21bdeaae662a2f708711b000c

          SHA256

          bc0a4465c1f0a8450b4c3e27aa5bc2c9c599f5978501dd729c88869ddd8f3736

          SHA512

          f6bc3381925d1640351c5e40433cc67e9f69246cfb14066d1ab1cf515a07c00fec2b57b0318bcd68aaed783b228af6e3c360ee6bc9e29c1783199e1cfec4d9dc

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          3c0e30121450fe1019dc3d76bd6d00b5

          SHA1

          1fc7c4082a18eaaeadd5700afc71f7bf6fd0185c

          SHA256

          1891170a2825f9bef1620d189052803192ac79baa8abf84ce5a33facd648bd0e

          SHA512

          d8966ea5280eb3be6868c648745104f30ebfbbca556fbf718330c17f7975e217d3636892de9f0c393f117aba9f6dba209590ae2dd074fdf3fc9a14db9e32a028

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          87926f62d416e5aa2aff2d9005d31c73

          SHA1

          f84b207f12bfe782be63ed8ff4dc3f0a60611c26

          SHA256

          c11e17cdc0ed3d051973558703a97f2a318ecfc1b010a3d6967a3f7b591a9a48

          SHA512

          d1f3290b4b4e6e708c895d38eaac9efcbad77d8c871f0a49725f039ba42a19c1b89a0f21fd570f8fcb466e80227878b8637accd71482f524baee1e0dfd6b98cf