Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:14

General

  • Target

    68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe

  • Size

    2.6MB

  • MD5

    51681a2932a495c3b9714864d135d83d

  • SHA1

    de0d2fd21ad60b3334fd41713cc0327d0421a255

  • SHA256

    68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1

  • SHA512

    80fe1478bf47a44ae86dcfb79941601d0156dea17d8a573f6b573e50c0987692c5de14e39d6b210152fb6859a9d44bd23e6614015df39e208ae1b2d078f125ea

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpAb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
    "C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:960
    • C:\UserDotSN\xbodloc.exe
      C:\UserDotSN\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint57\bodxec.exe

          Filesize

          196KB

          MD5

          05d1aef499a939a45d386a8773bff2a5

          SHA1

          ad23ecd183b65f96f85a66aa60f835efe4dabb75

          SHA256

          197d6eea47694e002dcdf2f43e71cd5ab6c52a23efc75bdb466ed23c58bfdcb9

          SHA512

          c21f6eceb5aae3a9d484a2f2979edcd2093dc57bfebbd6befd62cdce27c8ff83f6c2e1b25aabbf1c7da1e55481cf5f5a48fa4d9e67ecbdc61827dec2d247e4c7

        • C:\Mint57\bodxec.exe

          Filesize

          2.6MB

          MD5

          947104c8b41fca399fa03468bcedfd4e

          SHA1

          2dfce5587a6efcb59bbdbcc9543810310ca8c956

          SHA256

          a51539572e51ee889fdd617ea4ffc38f91b7687a281a7c253a6079012de17502

          SHA512

          9206f32e1f28202f56f8d3de0c75ca5cd7d391c7a49a31c51df82390001627974f0f059eb83f57c0df8d909b8355d29e7858f8484f765195f4f0e1a5f3c2710e

        • C:\UserDotSN\xbodloc.exe

          Filesize

          2.6MB

          MD5

          84bff849362b58596c334643a7dea5c3

          SHA1

          a1cbb517a83f7657b1a0a0b0cf912ecb501fa42c

          SHA256

          1367645ed02073b8d5c33a7223baf1daa69a8f5d9321da6f494ed38926f5e226

          SHA512

          d64aa0ea98771322b735cb6e1a31709c4bfcd21bf8f7153c161d661512631acc638fb85a2f8142a389d42ffe882a15bdd5529db7e48029f25d14eb080c31c4ff

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          d03626188dbfa5b30c4095b58bd0585f

          SHA1

          b66fe4235651fa049bd8e7362f4a4564a4cafadd

          SHA256

          dfed6466bb8caed4b0048584d7869ef3471dd085aae220d7b02d4cd2e8336dc8

          SHA512

          8ee78de66f36c43a9f576a583adeab6af788fbbb544834ce97f177d3d4ac94eddae6f7e9b047f8b214267916683fabcbbfe5e8eda9c1ee112f927ffaf8c15e90

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          6aca7155222b526ff79b7c3d945eca02

          SHA1

          3f32d5821ccb482669053ebcc71aebaf01a790b4

          SHA256

          e278a6c1da1f3ae86ba343f5128771a760ed18b7fbf0fc35c1d2fbef29633c3b

          SHA512

          51add21cce3b3336e33ad6c5741760104420bce1b5abaaad92a5881fa52b4495495e4c909420d3092b5abce61ebde1d6586cdc7e144532d9a2732974696648f4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          2.6MB

          MD5

          bbf77e00c4dd7f647f66c7b54b0c32e9

          SHA1

          03065422d67adaa9e1eabcf60e2dd3163bb2d9f1

          SHA256

          34f271953be5d57042931b292b069b6483907e141d5b4edb01c19f8968adbc65

          SHA512

          e6b288de36111b085b8f9d37cd75188cc739325683468cea35f4c0019ebc414f563f6a2d154b51c4f9c47e67d88ed0f5f7c165bc33d704159e8ce3e18ba0df88