Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:40

General

  • Target

    b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe

  • Size

    2.6MB

  • MD5

    782bc029e917158d9dc2d3af1462493f

  • SHA1

    231172651917f321cabd4532b993d1fc6cce977e

  • SHA256

    1a103394edcd5e659330eb4db0b7c2f6af6979238a46c71fd9f31e7647dfcec8

  • SHA512

    6630c41ee88582001e04e491cfc1a7329f2bd5fbcb781dcf3924c1a0753d4daeb445a4340d312aa5ded8283b627393d43a2687afaca47afc3a4011674697b34a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqw:sxX7QnxrloE5dpUpKbVw

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
    "C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4056
    • C:\Intelproc7Z\abodsys.exe
      C:\Intelproc7Z\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc7Z\abodsys.exe

          Filesize

          277KB

          MD5

          ca19464d7a0745e69831e036f9433af7

          SHA1

          ea4cc82861e4b3b327c21eb4b50ee3dae27f3438

          SHA256

          5352f9c5d0d24fc9c7f1cf693681928d19cb7b2d0dfbf1d89d6c2dcbf50eaf50

          SHA512

          17e551e3896f678dc97ad87db02adf7ccf7887b0a2d7a9a47485fe74e6e792b430010a4477a10da9c8871c08f395b09f127611e8792b5172a11b4878c7171e1c

        • C:\Intelproc7Z\abodsys.exe

          Filesize

          2.6MB

          MD5

          5503271a899bf7569c30ca5cb735b1fc

          SHA1

          c9bed33b6dd70fda2058191e33ea0aeead5c7e40

          SHA256

          67210a7e5b1678bac07860a65781d2e763f27a6bb43d9c8592c3a0efdc8dd5cc

          SHA512

          b5596f65c6c18ada1c31b7e221207ae27cb855470005af1e14948a457d3c1a24509a80c2e0447df1ee33c25925a9673a572ebd7b20b136f475ca16b6a3ba54b6

        • C:\KaVBUX\bodxec.exe

          Filesize

          2.6MB

          MD5

          48f805b7d06218f08adcdfc7dc4cff32

          SHA1

          fdf34bab3f639607a6fa8bdda358e9a7877d7248

          SHA256

          34a30a8664e1832b7616a9b10b9b7b28f1fdbafac4e22e54db1b1f556d5dfb64

          SHA512

          0bcea93c4d5efd09217e7938c254d03ff758c8b066280c1735e970287c1acc579a016bbf8737242b6ac7ce5be8393a44c179defb6c9606850052c524b86bb60c

        • C:\KaVBUX\bodxec.exe

          Filesize

          858KB

          MD5

          29b2ae0e13ab7ceba24dd078951245b5

          SHA1

          0777602131df34a6bc094a712f3b916bb96604be

          SHA256

          2a2b8a7f689f30b282dfa807f09256f427ae99ddf8145ae6726ba8a6f07f845a

          SHA512

          e412a05336831e835fba5129c60644bc250be17af5052214470d91a134415e4676a0f8d34c932170f811b0e1d25efd117ac15d3bfa1841f2be12ca534c628180

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          b8541d68cd4714b1048cbb39e194b092

          SHA1

          129ddd79233f73e96061c0997166b6d4bac063ab

          SHA256

          c9b2ddc8117c8be0834202a19004cc09e609b09b58d132995e0de61cb423aa7e

          SHA512

          cf00f51c8bd58af7dac4d8aaf4f72bd860523599b3a580581c614228abe4721e7814b92080dfdcfaa4f8a02d4e5b089e18e49557672dbd57c8cfcae26eb5a2e8

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          d375844367e3f417ed3d7a15e80eb050

          SHA1

          020e6acb873b7b1556136e720fd6d44b02cb5769

          SHA256

          d81069b80450fa307fa959ca8164e4ecc9cd3b4c041ee7074fb1fa0292af0295

          SHA512

          37c206f27ea2fbebdca4aa24f21a92e80986c18591d89f0212fe5213d7f8f0420856fe9a12473b26298e40ab525602b2d1291b71a7fc220c32815964216ab2c1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          330d205e3ddebbbb6dce7683cd1661b2

          SHA1

          8ed60bc6e10e7577ddf4368792e88789bc647738

          SHA256

          fcf2c91fcb9ece4f2802fde13665ea9f5dfe72f06777b38976addb4982500cac

          SHA512

          ad3ffec47a30648778b10680527c72dd55bd18b5370eb6542a59f3026a7be64ffd3bf935c27c75c1f81c73a72a1038b1548b0f67f7482f4a295754adef94aa01