Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:16

General

  • Target

    904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe

  • Size

    2.6MB

  • MD5

    4ecf927a8c12c4d60767427b6b9111f0

  • SHA1

    2933bd81f9cc63cf5518db0c9dde7a7993d7d7bf

  • SHA256

    904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcf

  • SHA512

    d32326242a1291482c3f25a66f98640f31e04f7e1e9fb18ebcf77615ed00805d733a2e565d54bf0b6509e9274fc0f98978f04520423bc61ec0e7fd7d82d0747a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpGbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe
    "C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1440
    • C:\FilesP3\devdobloc.exe
      C:\FilesP3\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesP3\devdobloc.exe

    Filesize

    416KB

    MD5

    6ca420c0b3deb8464cb1ea2944838ae2

    SHA1

    751971e0b99bd5a11c1e0dd44da7cc8ae078e0f3

    SHA256

    16dec6099530e3f2f275ddd611afcf079cff895777473626f07891fe5422cdc0

    SHA512

    13df060c6d0980cf2ad48452fb7e0eb1f786b94e7fe7c4dcdc029398ee998e83c514313ac8d54719c2fb612662260a0c5865075abed08f7c895a4e01b1474726

  • C:\LabZIX\bodasys.exe

    Filesize

    13KB

    MD5

    010abc54ad22b0097656874fb22a7154

    SHA1

    45bdf3c1248bfa8c3561f645584b422b09487bfd

    SHA256

    705f76c68555180f761c8c851afc45b406822827d7f5552bd4b1e0d0b4814633

    SHA512

    fa5324f35df376fc039ce4e3f804a6f788d3702b680d932e1c53d240d96195a223dda954f583c38f94a775656386606d2c16788dd30a1aaf3eae959c47311545

  • C:\LabZIX\bodasys.exe

    Filesize

    50KB

    MD5

    5a5665c7137dbb99c240364297a4a512

    SHA1

    382969d394b80571fb04064003528f6f7cb81c89

    SHA256

    43da80304f219af92d96cf484c45a88d31282f654bab20c3b544a38bc2b1bf0c

    SHA512

    33b15087e7796b5765f6e892f3aed8ca9515db91a47d84744d014014ed36b1a91df2e1fe0609dd04eb0f54498f460a4cf2af8d67cc9f898e606ba34323841b95

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    25a7ba2da9ad8d75279f4bd1bd8adc65

    SHA1

    bb38e5b11bfafacc5263f36cabc40765309506aa

    SHA256

    6a4b5015808bdcf1211731e246f79b018e1b42dbcef46ee0cbf0aee4abde9d55

    SHA512

    a5675af2be709c08106fc27cb76516c3d757b375211a653cbb1d001c07208c689276b0ca9eb2e608f97df2c52a1644482437bcdfe1a10240e786d8347c37f8e3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    b14a79cc399d851745678957953e4e1f

    SHA1

    221357c6160169c24d77214540150806829683c9

    SHA256

    e529fb5d01346d06a3664dce1af2f53edd0b7d46d64189477f1302427f140260

    SHA512

    3bc3a941927a1b3f8d0e47b7cee488aa3b237b5b3478ff98c141e0ddff93d846f615a007ccc5a3bfbda1e0e10aeb8eab82f0cffa28a08efa79112ba499963d70

  • \FilesP3\devdobloc.exe

    Filesize

    2.6MB

    MD5

    4157a839ed802a193c37c22f97b64fa3

    SHA1

    42731071bae6f6dd8d83b72bbfb79fd548d286d7

    SHA256

    3596924e9fa084388399674702f7f9190f317986ffcfc7e35f3b4d48e4c2abcc

    SHA512

    3c8633f4f9fb27be5989997c69dd7704bae4ab700b83e2532c64d814d6d1785f2a72b2a0760aa47d6ffcb5317177d1900c617258fa1379c67613e73928818dce

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    fd61a2eb30169a059a4064242badf0a6

    SHA1

    b3a28dc6da04f7842b607efd78f682df6901feff

    SHA256

    3587de8105d92eef1da3722374212e36f13e8f197584bd3f7db9158ec06d361d

    SHA512

    32e2e32d525ddaa83f7f48fb7fca969b2c443fd0ff0af3d41284adc46eb3c4b45654074bcadcbd27fed9d37b69123f98880a0045750e67bc09c9bad42b231b0e