Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 22:57

General

  • Target

    dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe

  • Size

    2.6MB

  • MD5

    87728a415246cf1e3538fe76b2acf843

  • SHA1

    3bce8a71a9c0718c9d3a044457ea55f8b3419bb4

  • SHA256

    5176155f86655f989e23071d0faf656ee8d09890c0b52771cfff45dc93053a85

  • SHA512

    39eb8df8e93f475534011eac272fb0a36909bd080b7d2db9ac04a0bb8fdf152117fc7a63c67400fc3bb5ef731be66f798f1822bddbb3ebdbf6b0fa2614a3d41d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSo:sxX7QnxrloE5dpUp0bT

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
    "C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2416
    • C:\UserDotCO\abodloc.exe
      C:\UserDotCO\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1824

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDotCO\abodloc.exe

          Filesize

          308KB

          MD5

          ecb86671afdab56d722dfdbaeb1dd77a

          SHA1

          c42c6de98e313d5aebd3a56a590a090001722241

          SHA256

          061f4d2321acb2815360a70045dd2e0e9dffa26d8a1cbbbd53e3975a2390366c

          SHA512

          91f978d46ae705fcf026ca97f2ee273c416495cc0b6d41178aabb563e1b674914d8f34cd9e07b832780c89ab0ac2d5762e9299d9c73c888132f2fda05dcdfe5d

        • C:\UserDotCO\abodloc.exe

          Filesize

          2.6MB

          MD5

          443855c5857c94fabe94ca66d577eca8

          SHA1

          9e93dd454341ebd6cadde580084cee79322d86f2

          SHA256

          ef99ff242eac57b88f586aa522becd64d9ff3d332324a1864ce8db9e6a1636ea

          SHA512

          8a0c2b37a378a25542ce7fb6e771dc002d75978ba2485c3a19ae369481567e96d3ce9573899c55bd1da9965f23e5657847a0774f91af7c9c68d050208a161fea

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          a3700d6613d85833a8e2738e5a8359e8

          SHA1

          78e06c6364601d9930503dbbb6af78e97ce34bc4

          SHA256

          8ce9a1cef82f7d0b93fc4bebb1eb8e020cc2c149022e396f5f64c4e397e26249

          SHA512

          7e0e1dc76e4d2548ca06f76c4efbc8d762e0f178908d3fbc2c07964626d02ae9d39ced61fe17a072485af305432f959413640bb24004bb810ce86d120499d556

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          b5fd6c4342da1afa99627d879a644dfc

          SHA1

          0475b557d14c4ea21f926f7f1064814efa335896

          SHA256

          b4e9c9f405e3993fe943b67d75a220c9df9280441a30a73d32061e38b41893b6

          SHA512

          e7b55b63b7f420a8a7e0f53e80a50f3a2f320d27868e55904609bae7aae5116ca389cc41a8dffc28912a3fdd2ca49c8e3f217b4b793d50d36aa7e6be00f05771

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          2.6MB

          MD5

          797c6c23837628dbd55c18ddabf6b317

          SHA1

          387c05cb3c1bc5de828b162cb7e6ebc592ae87d3

          SHA256

          c9c6b9326a6e3d8107a34011402e3ffb5bd219ff294405a5bdc5e749a7c47e26

          SHA512

          c745769109417e785da991716b414a85faa0de023cb6b69afd5afdafbc522759a45abb0e9ae8a67921bf8a72069629f2eaff6943bff03e73798718579cd2f780

        • C:\VidK3\bodaec.exe

          Filesize

          679KB

          MD5

          90a958f21a4ab169735076960458620a

          SHA1

          6ff165f5ed17e5b805ad4e0d69db4748ce9bc551

          SHA256

          d72b5c17982e729ed1d069d2f62e2f79827b4088f3d98aacad9730705189e97f

          SHA512

          3d5c83a3f6071c2b98765ae3c6bb3686591605d4513e0f343e633f6046ba5f8d3d32fc5358760a17e6c898bfc1dd0d1294a2d9c4c8a6379cc25cbe99798a3205

        • C:\VidK3\bodaec.exe

          Filesize

          2.6MB

          MD5

          8fcc8739408c0e50387d04fc8217c0cb

          SHA1

          c3ed4cc84043986c74e25f1b08f66e248578e162

          SHA256

          8afb7ca3de15570d981252c2c9bb3f6340364fef6e4ba978a407d07161fc7715

          SHA512

          efb0a0d3522e558b2e98925a82a15a7ce82b166ec31d111b08120a852ed1afd096ea4e8fb4cb314b36230af1199903ae4987e85961945a2949db94e33ca10638