Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:19

General

  • Target

    a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe

  • Size

    2.6MB

  • MD5

    d1d59df8ac06d0567fe91e5a58b7e062

  • SHA1

    66c0620362f5d81606d1597592611a8009da8f77

  • SHA256

    a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890

  • SHA512

    80e49a9af30a1de1b6f992f0a45e8b3ea25d251fc2c2bfe450d424909bcf5f675c01e4b45c2c35ef76cf2d43d01391b945dc570f887f4ea867fce4e0604aa08e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe
    "C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1876
    • C:\IntelprocI2\devbodec.exe
      C:\IntelprocI2\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocI2\devbodec.exe

    Filesize

    2.6MB

    MD5

    7881f7b78a318fa8511dd4bf5af06cf2

    SHA1

    6426478f139a959aae92d4b3b17be37c8617aa4d

    SHA256

    4d2109f75d1ab1ec6bf791c9e84533c6e8319c89d1d61ed9f45d09094eb7b8a3

    SHA512

    1ea19ae343a92e9c605a43cd97b26c3e00a0ddf3cf0adcbc3c12009973e6c4a7f3616440788ec91dca7504208e9c385122458df85e3d6448a00f14dee7a6de44

  • C:\KaVB45\optiaec.exe

    Filesize

    1.0MB

    MD5

    0cd612c6dac88cdcfeed4d16d02e91f5

    SHA1

    6635f247dc8698051428af8f17e266bebf9a93be

    SHA256

    0ad3c3f909294d3dbc80aa4e713ab35ff0a31c6ddbf83a77f44c06d3e9a51467

    SHA512

    a7ee43d5001aebbed1b570030ec6c6a86195d628abb7f68856d568554796406a22fef47ccba19630817ed76e45af54ab5ac76fb2894c74273925bf9f7bdbebdb

  • C:\KaVB45\optiaec.exe

    Filesize

    2.6MB

    MD5

    f1bd19beb5b738bf08bf84fdd0448b3a

    SHA1

    59c3ae42104bba7dd3775e896ecc71986e5e7827

    SHA256

    b53c6195ef84564ee9b88106e29b867987b60901df81115200f2b54a33186512

    SHA512

    d5decd97abc1cfd936e7862294b87ffb46a34acfa6e73cba463b2f2503bbe5f44499cba03ce9f8cfb31bf036c8cb26afe03aac9933697d7695d01b82feb7cbe7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    fbeb177b9ad7e8253c5c0991fb78b90e

    SHA1

    678464792e954828a82bc3d1c8dd4972a78180b2

    SHA256

    7a6802ef9c599f5734a51d03bd3f27a1d458f9b5373f800930ae63d0ccd15873

    SHA512

    4ce911743c2336077bc88c91b77b21d80088246c2fdd7ac09afe4bf6e9a4ab5afa713e5526203712432f82d0670a2b68c4183a153a9479801c741fc7a1399f80

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    1061add7fa4a961c4f15c503cf927e83

    SHA1

    c673d110e4f324aa8bac4282835b3484d2043bd2

    SHA256

    3fb5cb85f3c49df444d7da8e0aac9a698bd09aa71c0f999c6c3f2aaafd5aac07

    SHA512

    ccf3e18bcd71a6a44844303e1df57ef9b9e4fc9667e8ff0553c5f07511cd31c1d0ee1cc7727eae5d653e8a5689f21e3bd511e572d9325dc11ef083197c65403c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    2.6MB

    MD5

    51711671764bc1db3aee57c437d3a781

    SHA1

    454da0fe0073504a43d7c3d77399a4c6834d90a3

    SHA256

    dda6fdcff90b22c0ea4c89db3daceaa908f12b23480896c6fa26f2b5ac3cceb4

    SHA512

    f460caf8e75c7ff05d0619578f9400c1ae43243b4283ebba09ea9ff64bc048e7a61dca4020e1de138895d6576aea17fd64ec56e9321b5c2471f4dd887e5ee6b9