Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 19:05

General

  • Target

    010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe

  • Size

    2.6MB

  • MD5

    cd73125f1fe8152cd43f3f5578c8baf0

  • SHA1

    5b24f6dc3a9dfd3c96daca88b89fbf2e46f2972e

  • SHA256

    010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111

  • SHA512

    6a552589b1f1ab116f526e64096d495e697871c86409056b80c0654a68dd74eedf3ab9589ec0b26e3faa559bdf042f32116f4458101d19049715a7621b044bfe

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpwb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
    "C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3300
    • C:\UserDotSN\xbodloc.exe
      C:\UserDotSN\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1612

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint57\bodxec.exe

          Filesize

          2.6MB

          MD5

          984b9e9b5d28b5b00d95702ebdf1f6b1

          SHA1

          4c45f4935e06a287dec7463775bd44507e37a397

          SHA256

          02cb9b97f4cbd6c10e92338c3782b0252312052afd61c21091fffc720c8d6f56

          SHA512

          5eee150ec11092fe77242f02feb9c1859007a2ae1d4f0aec2b184a4cb57a37fc9af1218ed223a6c3ceb69f98f253f2514016532473b5be4953ee7fc8fb42cbbd

        • C:\Mint57\bodxec.exe

          Filesize

          2.6MB

          MD5

          694f7e6f60fc1bbd7c5f139df913960c

          SHA1

          a7c1cda14b461f46b55c060fa6c397e8804c0003

          SHA256

          851012d6efdedef5822ad7c81329b307f0a8f4abc21cd91cc8583bcfeda42e94

          SHA512

          efc25fbed8ab16cf023eab0b95ff9d402a0dadb5cc8f3738544b50db4c9f341ccb5ce4ed2721d01f95f61d76179240abcce901e6f9e0cc0caf7fd03404e8c1db

        • C:\UserDotSN\xbodloc.exe

          Filesize

          2.6MB

          MD5

          28c552a60403152971ec00b8deef5125

          SHA1

          ebca3f4ac61aadbb6957ab51bad57762fc9c4883

          SHA256

          421e9247b0709ae843cffe2f5e2bcbc096e4401a0339e3edccfd0baa3011c767

          SHA512

          aca93b5939f6f19eba1831bf614aba055b11c93aec40cd9c4606229bb5e4758d000abedf3ab95bd038a6219faedca7c50b696ea967583cda4caf40756db13615

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          d03626188dbfa5b30c4095b58bd0585f

          SHA1

          b66fe4235651fa049bd8e7362f4a4564a4cafadd

          SHA256

          dfed6466bb8caed4b0048584d7869ef3471dd085aae220d7b02d4cd2e8336dc8

          SHA512

          8ee78de66f36c43a9f576a583adeab6af788fbbb544834ce97f177d3d4ac94eddae6f7e9b047f8b214267916683fabcbbfe5e8eda9c1ee112f927ffaf8c15e90

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          6aca7155222b526ff79b7c3d945eca02

          SHA1

          3f32d5821ccb482669053ebcc71aebaf01a790b4

          SHA256

          e278a6c1da1f3ae86ba343f5128771a760ed18b7fbf0fc35c1d2fbef29633c3b

          SHA512

          51add21cce3b3336e33ad6c5741760104420bce1b5abaaad92a5881fa52b4495495e4c909420d3092b5abce61ebde1d6586cdc7e144532d9a2732974696648f4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          2.6MB

          MD5

          bde87da5c6d7744fa84365a14f4c495d

          SHA1

          197c27cec879917ad8bdf60a383ad9c54eb4fe99

          SHA256

          c85cca32a0e49659f75b30f99e271fa59e606002d61db5ab622bc8aab3d1c29f

          SHA512

          bcccbc12e2f62a7f702cd76c7d624d7148d07bc867ee98651d4f8d7edc35368e37fa59c2f0a165b2e723c907377120cff4328604c731453d95049787303a9a5d