Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 20:12

General

  • Target

    1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe

  • Size

    2.6MB

  • MD5

    86136fac208ef5fbe52c2c0dc47f154e

  • SHA1

    c949bca829e4e76f44c759f102fe4bc82349ddb6

  • SHA256

    1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726

  • SHA512

    cc0b82fb598a230aefad1e09db71cf33e37a6626361ba7d107c276bdf3b575b195236dc868caf31c8f21084ee9a6c10e8d0959426b8e48551be54ad7208cbce2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bS:sxX7QnxrloE5dpUphb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
    "C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1616
    • C:\UserDot4L\xbodec.exe
      C:\UserDot4L\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2920

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDot4L\xbodec.exe

          Filesize

          11KB

          MD5

          4b15a8dc60fb28ba194308947f8d0bdf

          SHA1

          addcf6f0cc5dc9577f5354dd3efdf91843caddb2

          SHA256

          eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152

          SHA512

          35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e

        • C:\UserDot4L\xbodec.exe

          Filesize

          2.6MB

          MD5

          f8a6bb436afda62b3fc5e356c2a2b86f

          SHA1

          cea29e2353c0ffd2c6f1a535e1b95927f25f0de8

          SHA256

          d60f806b47844af5ee5a8699d334026a73dbef99925ba240cfd02c09f9edba84

          SHA512

          feacde03056a7da505b508c0589ff52ca5798663996d08944fd79da885d70575112592d6ff1b83fe5539ad2f0f903fef2e7becb094b7f361e68b68a5f83baed0

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          1d704e714ac6ba30fbb56292b3041985

          SHA1

          d3a8ed8749601d74f1c6759d6d10342e39b907eb

          SHA256

          3e1f460dcfd7275a0d6bd5e3eaef18fd513e158d699e5a62bfd70db41e37cd95

          SHA512

          db6684f6169a675cea4dcf6b6441954e103f10768bc92974b9dcabf13ec1b8f4a44f2efd22f63603aa58ed9e3610961601bda62006d2f3f90eb43347b88a4748

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          5b564730b9e7af4a6b8ab2aae96a42af

          SHA1

          b02bb8306c60a6ed7cb6b4c15491dab4b018c914

          SHA256

          585c617091e839ee434e37869e0e4e2a1c091ac44cbc9310e9d0f39e030eb517

          SHA512

          67691658220456fbd24676ebc4e2e5cb3bbfab5b79c402f2b7c9eb8386004f316bfbf72ba0f647cccc02942c11d4dd74f71fc0bd9e219c584a2aa1289bd0a931

        • C:\Vid5C\boddevec.exe

          Filesize

          145KB

          MD5

          b89066b664e1bcaf48440629f62e1196

          SHA1

          c53a80a80b8c0e651574958d04b006e21b5f6592

          SHA256

          5dde44e5cf22086c26a23c6ce0cc49f35c6e8f1280c1ed8ec4d5cda7ee95cedc

          SHA512

          84d342bc2916c6cd7e19264d24240e987d711b2514ae2d87b625e8f8311ecd7b68fbe511890a1dbc0b05b2daab8075c2078ae405ba25315360f9dec971fa653f

        • C:\Vid5C\boddevec.exe

          Filesize

          2.6MB

          MD5

          ff4b66900a409c2d72d38997d01dc396

          SHA1

          aa1382bb61e141fd3103fd571aca5e4bb7f0eed4

          SHA256

          cf89864284134635b4e9c306e5843d021154adc68820d6aa5760629d5d825d3c

          SHA512

          292f27cb900b2940fa70b53539cfb58347e43e04deeffaa2659db67b92f8b883ddea049d8ce72490873fa4e7ca387062415257d954653186c66661290adb012d

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

          Filesize

          2.6MB

          MD5

          c98daa4ab0c3268db527aff910fa26aa

          SHA1

          893be3b7c6d6f5ac4afc7ac6163743ce536c2c7c

          SHA256

          da7a69bbcfc8922b037a2d7d2c13f49b02949867ca4e8ac39632ecb29cd40c01

          SHA512

          35fb9329bf90fbe4c28ccd5d2d6a2aa876dd13cf88faf274ec3a65052b7f3ddc54f8820a0f35ea69a3b993080640854d98f692f9ab0dfe1133541bdc19c8a81a