Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:14

General

  • Target

    a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe

  • Size

    2.6MB

  • MD5

    51cf53d7fad47c7b153aebc19cdc4e5d

  • SHA1

    4353613c56c626331851ce11667c9e2438767653

  • SHA256

    a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296

  • SHA512

    cda0a3e112409544605903d2ef48f61ac47017227de2ab7aedc46f8268b5698c78d3fdfd3be67319790d6b75f45561f67266990c621bd5e2c0f714763bc45bf4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpfb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe
    "C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2680
    • C:\FilesUK\devbodloc.exe
      C:\FilesUK\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesUK\devbodloc.exe

    Filesize

    1.5MB

    MD5

    712990f9e312be469474680548f3ad00

    SHA1

    0910efe97a4c8ae73c52197fc4335d45b01100d4

    SHA256

    241edc23f13bb2901598b00d0649acd26b2886fa7cf5a844fde68efe649959d5

    SHA512

    2eb46490979a8faaa4e4b2084d4eb7e5194a1d24de9099b3a5ab610e9e806c0dee55b07af6844577c72c510be5c5c4963b1e3c0c07d1956cff6f92f871f01c03

  • C:\FilesUK\devbodloc.exe

    Filesize

    2.6MB

    MD5

    58cfccc8b8cb14fa679d4dd71fd69b47

    SHA1

    8f0488c301023ab177ee2e805ea1d5818120701b

    SHA256

    de96f3684c3525c6a0e67b3ec36a788de31011fc57409466e11137e1d3d33e9c

    SHA512

    a5a2b53d5edaf78d54b8a253e80b4a7bff6ba94dcc8b932e64527e37d839f576e2a88a2c8e8be84fabb1d44a00481893889f6a12a9a67a6f53f6e7e14c082add

  • C:\GalaxBB\bodaec.exe

    Filesize

    2.6MB

    MD5

    1ba95bcf7dbe6582b6a7dbd911dd706b

    SHA1

    95afa39720af5c8ad93f74921ca5409642a30b80

    SHA256

    f995c0ef214915d01dae82794c0327d03331ab0f45a155adafd336a6ccb47b32

    SHA512

    4d629f4a40fef836a983ea93db44a3daac63f44cc903f13db8b75ae055f6f34ad7a46ccc2d4c0dc07319ccc2b80a74c3f2d1f254cfc171945db5825277ecd7b9

  • C:\GalaxBB\bodaec.exe

    Filesize

    2.6MB

    MD5

    f68d4844821bece741add55e091a1d07

    SHA1

    2cd1edb6fa0a021e2778886647e9b56667466e90

    SHA256

    0d37e87a0871e5ce55f703162b7cb8f7bce06b62e8c82bc6324e56ecd972cfe6

    SHA512

    b87d0fb526d3e8cba5ba10e695556ae7b582d8c1958a3bbfedf2ecc03f00362c9b88725c332436b160bf4fbd9c786e07b492dc791b5b21a77126475b049de4cd

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    4f5fb3557d573fba44907ffaa63a9b20

    SHA1

    0b4f22d841340068fbf14088d41bd47c54cdfa90

    SHA256

    b53636fa04581d2ad74f8dc63d3ade1ff0bc0c76eea325eb390d135ff0c15f08

    SHA512

    3d49933cd76431504cf4ca99f70961eeed9738dab7f37ca20f8d6b043c69d98f63e1625aa07ff89c655e7e66354bf7a3e3ac39db2f1ee8d2a721c8d9e51769fa

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    0a627ad159310e7d7d25089d7effa533

    SHA1

    05d65d04efa4b1922b3bd10d2c11ee043cc340eb

    SHA256

    29a0d423eebdccf3297fd35ff934150f66382e432aff201829e1425251663342

    SHA512

    b4ef9b6ed048cd364fb9feeb2dfbb750e7d31165c1eee1ba5e5bbca4a886472f835948fc5fdd32992c795af03e37645e4c8830964f7b5c66049cc655103bea0a

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    e4024362eb652a06070821275d5035aa

    SHA1

    a4ea65e8e3a806e8c547fb8a1daabe54dc7f406e

    SHA256

    9d2d08dce30526fc21caba559bfeceb64bff8d3554975570b384a778ccc8f438

    SHA512

    0b2f4536161294255b1c0cff78060cfd23ddd3af6e2ada322ccbd0f2cd4681ec1efd576a268c8859c83471b354e3c2a246959e3aa30e2401a6a1ef64d7877bd4