Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:49

General

  • Target

    88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe

  • Size

    2.6MB

  • MD5

    c43d5f34536775004db54a33cfd82f6c

  • SHA1

    f2aa967ee3bfe10a7568bf653ba0f5d5cd3c9466

  • SHA256

    88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8

  • SHA512

    0a7ba5f9cc094d03f531383809ca9bd77ca1402846d352cf62ec7ef1f5b0bcef664f2b02acfc025183a3fa9b099f1628893ea8b6964f7ba5e5c2e4623ba3c375

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS2:sxX7QnxrloE5dpUpDbf

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
    "C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2460
    • C:\UserDotIP\aoptiloc.exe
      C:\UserDotIP\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1432

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB2K\bodasys.exe

          Filesize

          512KB

          MD5

          b612536a69426c62f07a81d28343052a

          SHA1

          c8ddf174d82c2872ec7e36e7796ab4237b063b77

          SHA256

          201bf89286f5f1250edb9c59d040cfe8ea65588992d4a67d7fe63c78fb921959

          SHA512

          26b709a53db7e3e02dde2cd9338edcac9d67aa2212bb9f096be01f48a7e30d9a6788fc4915bb6d30e2a88b5cbc6fa86e85d9bfb1c0de9d078f09faf107643f22

        • C:\KaVB2K\bodasys.exe

          Filesize

          7KB

          MD5

          ec404dc607a7bce365c371372c732d22

          SHA1

          4d3414b75d79d8d911c3947e95add02806762e93

          SHA256

          8f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2

          SHA512

          25f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a

        • C:\UserDotIP\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          f2765a5246afb6d56fa8ce37dd894523

          SHA1

          b5b9aa1b3606a0ee557dee98efd21bd4ea9571d1

          SHA256

          31fed3db65d3ee8e83f210900bc39671f9938763fa3f35741302a52527b7cae2

          SHA512

          1b133fcd4bbf5722c94710f4c3382bb793f37f958ba1632e8dc17b86475b2fa880747f9678894a95ab819805f276533af55ef6da46c734c5e0f1a40588b586c1

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          04feaa1d4f81483c9a2f5482753019af

          SHA1

          e1c3a09f0480eeeb31de4ed99ffffc742431227c

          SHA256

          1382d4d1bf168cdff0146fc604ac88135c8014d3f41caa2aa4a6feca19a902a1

          SHA512

          554815da60b126a8784ad2d042d5a9aab7e9678d5e2f6b79e0abfba213d2b465ea424c7bf7da1d53af004e0ed14d5a990cd851472dbbdf2d5eee38f2ae0870e6

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          69a183cff34416725afbc7d921438a47

          SHA1

          f9d1ef1277f79192dd16fb501ecde4a27f39f29d

          SHA256

          39151a714e0e211945e7915c76f29399d378472fae6bfd6daee304915ac63519

          SHA512

          25bebb3b3adf2274379ed0d0ea1390e6506de25160e5091129691b168b4bf65602f3faaa0016cf2eb32e686c61b7882c2c0fae57386fe2485df5fa3f68c0dc4c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          2.6MB

          MD5

          1868be1e930162b4549fb2347ba53ee2

          SHA1

          860d3434c512efeefddc95e1e71fdd7915d6658c

          SHA256

          f9638cd0ae18341e617c205f1e820947330437165cc1eecb975f9606549a7660

          SHA512

          3deefad36469a80e013d1dac7a64a1234f4c0c5b764b3ee7c803da3f89982fda9f9e84b738c6f829d1fdd9a67394587d3b6559dfffa50a8b96547511be6b93c0