Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:33

General

  • Target

    e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe

  • Size

    2.6MB

  • MD5

    d2808e3373c56fd1aabd501b37bc4fd9

  • SHA1

    5a4486f26e2c3bc11f9f7ec9e8a7e48adb94f354

  • SHA256

    e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e

  • SHA512

    db891ab58cf24b596c68260c65b72b57a54122a0cd00dba892be7b30aab550c3531837486738cf0874dc2408951bf91daeb257556c87a4c4face7c83035177e2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSS:sxX7QnxrloE5dpUp0bF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
    "C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2176
    • C:\SysDrvWF\xbodloc.exe
      C:\SysDrvWF\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:780

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB1C\boddevsys.exe

          Filesize

          2.6MB

          MD5

          b7a226bf2331f05130b41da79f75fdc0

          SHA1

          4284c1a8b441c78a20c908d2a29938e07d71332e

          SHA256

          20db50f7a121c96bc47fc9ee8ca893b999e766577e4f8c8d36321fc7d87d63f1

          SHA512

          b749166eaab7431fdf6f2881bf50bc697461ee866025f71d8ad83d3568d373d14605f050bd786df4a065fc124124e6485144150363d5f40df30123fcec2a4db0

        • C:\KaVB1C\boddevsys.exe

          Filesize

          2.6MB

          MD5

          2cfbad5eeb6b20fc4af031801d45a7d3

          SHA1

          30eb198ce35220728d5f88b9539e912deaf5029d

          SHA256

          baaed73e22bdb11d5b9b9573b9c3959fd7f4250fa0c61c64289e48d5ddffc1ec

          SHA512

          1eb53fa56ad33b21723c0ba103d4a0af31ddcc98cd7294f760155b7a298cd5df182a5b57bbcb54ff06c58ce3d3e0f30e033fb2832f7580bebc4e0cd4504be1ae

        • C:\SysDrvWF\xbodloc.exe

          Filesize

          2.6MB

          MD5

          5d9b84d99551c9ee041bb5ca61a8c48b

          SHA1

          2311b162de5d208aadd7261717dca6ce7860eecb

          SHA256

          971bca7de55d47b25cd8cea9205aa21af502134d154ebfd2007f37ff30c77ce0

          SHA512

          948c844a3ecaa17e9f285c106da7e05d6735675c240243102f9171f6268c1e0e8095390d950cc852659527726b8e31c371a840275069f69b2b916f38f9ac3293

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          bc32eeec9abc06b070c616f6c523d8de

          SHA1

          88873791dd5b07ebfd3f43f87d2f4986f3de06b7

          SHA256

          12dd1cd6bd8056bc78605fcbacd32a4f39573001eff02033ccd2926874698fdd

          SHA512

          17e73f6e31ba5bda35142ee3bec38276be09e62be899383c95fbd074f369a3da4c20427949747103d77ca1139ed82230cfe5e1c979a87ec1bee10c146505d42d

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          7d7e4128542af780492182013b1f5213

          SHA1

          d0c2e1f91b2c5316ee6d6ff21e778d2fcc094e06

          SHA256

          b6c76221addadff58182d0f45009a9a3adb4aff2002378b15a2f3a512eacbe90

          SHA512

          14bb30f6d43b999e1698f9b78a84c64e5e0307e94472164623be5fadc4a94d10333b1c346c40a1543f4c493f829b27b2d95f9aad212d323883db481fd59b4f77

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          64680f9ca782277eee07c70177fbedcb

          SHA1

          f7ec18dc6e063663014079724a71e9eebc9c0fe8

          SHA256

          e06fd50175c3589fb4f2088e199f06724fee1c458b1d99a3332e122a12a83a2a

          SHA512

          cc9706b8b115d1b87dd648ee3ff2dd60ccfe08d97a8ce0cbeec75f056546ee8336d635665dedefdee70cb100d0e64a15b0aab0aa8df6db97c814cae922474bdb