Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:33

General

  • Target

    7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe

  • Size

    2.6MB

  • MD5

    ed3cb1d16d0b67b5b30f72731d353745

  • SHA1

    d27e62b376ac0bd8d24587fd40ffb2d0c7a25034

  • SHA256

    092d2e1ad6c85ba0bbfc8a65245cfdb155b91139c6812c5c8f4068ede8401099

  • SHA512

    b1ebfb36f3374946b91249de82c0c4d28ef303808e0561748d6af6ce45d0476e05483120921de0fdea667aa7b79ab7575f5a7ea964b592c32344f4e127747cba

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSQ:sxX7QnxrloE5dpUpfbZ

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
    "C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2368
    • C:\UserDotMU\abodec.exe
      C:\UserDotMU\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2016

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDotMU\abodec.exe

          Filesize

          2.6MB

          MD5

          1b0a495cc5c7a844b24316842be71386

          SHA1

          6cd1dcced7c1850a186431a638242d988d866487

          SHA256

          6e727b1ae17b504043adf8f38e281bd0972ce90f29457618cada2f3fae46f23d

          SHA512

          9b5ed4775422a727e9f71335342a63ead897342ad54f40f162f7ecc780cb38bf316b0aefe150b89a723ccb618378150d2a1f7b9d3f77482fb2f9a0fef9f15976

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          168B

          MD5

          309d8cc8f40a9aedc7ec7ee631bd6701

          SHA1

          5fb6b0b9aa44089a2b5ee439be6b28963fb88e24

          SHA256

          bd7f484cbababa216047328b4d69a9c26c39f9de53328886bd545a0657059155

          SHA512

          2df37a72a4e324257577fbd34652c16dae48816d63a303e2c54fcc752c138021a8eba43348e63c8781e0dfb278f2edaa2ad299fcc766790c799f68c33d806d70

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          200B

          MD5

          6b8f7f2f98253e763a145cefa8649e2e

          SHA1

          5d75c57750b9435d825b00c95634a91e59bd3c70

          SHA256

          3ee570752356688cd31b57e3194df044776bdaf257183091888d197dac07a738

          SHA512

          e2589754ec7e6e661d29e5aa17f440ca0a31a32d9e09f772c3a6a68ff477b1e583ae0125211e2145298c3ce63d789dd049b0548c34ebbcca36e88fae4359f5e5

        • C:\VidOT\bodaloc.exe

          Filesize

          2.6MB

          MD5

          6c8fc2713f7b94c8ed28aea51c70db78

          SHA1

          edfbb7139c7bbb9521997cfa8754880755ad4307

          SHA256

          3790853bbe8a78e50dbcd6d8e362ceb77e1552608af1f9677e0eac0297def5cc

          SHA512

          d396f282c69bbb788db6e1634a95ccc9fa44a0ad7c926f98ece9890a2c0a72d10a4728d1fc213ce6a35849f936d42eb5b73419ddb434118234c1a83ff778fd89

        • C:\VidOT\bodaloc.exe

          Filesize

          2.6MB

          MD5

          d43203d843deaa9613234ac08967125b

          SHA1

          2a30913b0b1797d1c276c81619bed5af724cf5ef

          SHA256

          11976b63814594f6fdece5a349de3674aacdc8b9a9fbbd758b0deef5ecce3995

          SHA512

          234409939b043c6ebfb6888346fc422dcefa74198dc8e0fb7bafffe45487754c87fded7ec9c2fdcf23306bc6517cbdfd9d0ddf880b8c4971c26490dd39cb42fb

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

          Filesize

          2.6MB

          MD5

          16b1fc60d105dc0b77f8ec3de4696c66

          SHA1

          fa6e79fb147412ef61e70202c89e42959b5c8807

          SHA256

          89bc1db28b52b56c9bd2d72d1fb720559c9c41d141f9572710bb920f5ec61482

          SHA512

          2d09e589fb0fe4950e5fcd0bec59c936e5e7cb971150c463fd1bed2bf40ba18c0bb18695b77010f4376ec9e958f9fa099bd895cbcff1bd6f661bb4590ba43039