Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:34

General

  • Target

    7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe

  • Size

    2.6MB

  • MD5

    3fa5ecad405ce4b1ed6f6fbb4fcd1350

  • SHA1

    7dbf377d4e7a50197cebbe5a1b8f8d8eb77f31e9

  • SHA256

    7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098

  • SHA512

    a9cabf8b3751830cc894959bcb8bbf06deda309e0aabcd3b85de04afe8100afa500d1e6e22dcdbbf67692de30fff246c86c6f411d52a1850dd8cfa5e3ed127a5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSq:sxX7QnxrloE5dpUp2bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
    "C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3332
    • C:\SysDrvM6\adobsys.exe
      C:\SysDrvM6\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2440

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintUL\bodaloc.exe

          Filesize

          2.6MB

          MD5

          4ecfe40e660a4c63e1206a6d85527685

          SHA1

          1961094f10a23027d3c1bf665ae0503bdf317f21

          SHA256

          26ab1f7f302eb50842b4d61d30f76d0f887c4347ff732504967238ef1b4020f3

          SHA512

          92157b83f0b9435263d7e25360fce40b4685d0d63f7152c0cde81c5c15b3aac2fa13fc1f05de4ede3377a296905faa7d428edccd16940d32d866184d9830c01b

        • C:\MintUL\bodaloc.exe

          Filesize

          2.6MB

          MD5

          d97bc12445392c64481a08b57b9d458c

          SHA1

          450f878beef8256da090ee58defeb3d32f3dd4f7

          SHA256

          cb4c499ef9c76dff644979815678c265a0621e2639f7617013b5be5e0a36da02

          SHA512

          5fbdd3b250be5919b409597f8bcb6dfd8d94db70d848e825480b48719d40372d52047ab19e21b4697d3d6e0937c8173b855b2a0666e304b142084d6b18263e4a

        • C:\SysDrvM6\adobsys.exe

          Filesize

          2.6MB

          MD5

          9df520ae6a107cbc1950bedc2054b653

          SHA1

          24c8080315eb26ecc72c1b5fb9cabe2d74f98a49

          SHA256

          5b8dfeeb10ccfdb6d451d82bcb8af5e206f2608d811cd99e253ff1126b71dead

          SHA512

          c4bd1c33a3b29084a5f213995176f306e47e1b7da4a63e37d7efcff6d6c8d87416ce6b47571d9a5d8c77a94be05cbd07bba13c30e0a40ebed32080bccce2199c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          1eda7d3587c86e1eaa7a9f1192981a50

          SHA1

          e3210d99de1ab1dbed737783d55e934727378d1a

          SHA256

          9a3b96ce337f48538e497b3fcb95f27d3a54d6737558b9e17009158b53925518

          SHA512

          c99abe354d38ccd5b3d9dd3cd669c294af43bc1e329ce2dfdf18005dffbc4e47afdf52b84f73d05825ce594ce01b6713275523a74daaeb261743a48b66bfdd6f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          4fdb89e4cc44ba1dc006549d8ab3a025

          SHA1

          287ffda7f8790d87d00a31a4cf985ad20f22627d

          SHA256

          c37031d1de1c8944a3402fe529874a21f9cb0bd622aaf171fc744960136ed298

          SHA512

          699ad5c17c4fd090e8ac722279279e5df47701697d3aac57f8f6513012b0df97cbe97eb9d707242ab8df7c447b8bd2ece61ed5cf69fbcd5cbae917d3f165a20e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          19edeaeac68a0a42c6769b981f7f4743

          SHA1

          9d3c091af76091c8df69f4cfa0f74fea25c8d580

          SHA256

          61542906bc9a6c2c9c68857aa7f68a871600ef1416b1d7f1e2a6f9cfdbb34717

          SHA512

          0dd8aa10bece4d79c5369309a0b6c867cf4c65258b0090e219953f3433bffbfc06a5e063af2f9c6b23c88bb0ea63892f731a35b0faec46d0f915c945a3da48ad