Analysis

  • max time kernel
    119s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:49

General

  • Target

    86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe

  • Size

    2.6MB

  • MD5

    c44913bc98605c7005cabb1c49c2afef

  • SHA1

    1845a2bf8f8c0ecb27ede9b86da76f722aff0c0a

  • SHA256

    86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb

  • SHA512

    d7b4fc2de4384c421a77a08ed0993ec0a92bf0f95e3cba8173a19a6dc532d88a014da88a0d9272df71edb4b18d7736e967b23e88b196520157854509107133e7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSS:sxX7QnxrloE5dpUpEbF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:924
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:512
    • C:\IntelprocV4\devbodec.exe
      C:\IntelprocV4\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2136

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocV4\devbodec.exe

          Filesize

          2.6MB

          MD5

          a8c0d9b0afaced6b6a99c551eae606df

          SHA1

          c6abb7d2bb5e2ba5d79189a31ccd23a95554fcf0

          SHA256

          ddaba5ed3ceaa8f67d880df09a24a7f20bc3e2f0c4ee671e2095047db66e8658

          SHA512

          d5182b924384821ccac870df1af096e33daa8fbb2f2f27f80df79feb0ca296db49ffda922b372c5f3f0507d93dd51e751215aa9be586bbfb6260eb6bdb3c166b

        • C:\Mint8G\bodaec.exe

          Filesize

          2.6MB

          MD5

          785f2dbb9ac193e1c4c4b63386620e19

          SHA1

          d23a39a57d941246c8bd7f908ba968803a6dcbd3

          SHA256

          65bb97a6d65db66e967eb2987dc8e4e987ab4e44b9c97ec8bccfec7b6a14594c

          SHA512

          f8a0f00ad20f7ef995d279b9bda18e228d755080f0c34a61dd3537a3030ae93bcdf0afd314bf9a51c8f54c215bd4973059eb53b6331c21c0ad4c4406e1d8f487

        • C:\Mint8G\bodaec.exe

          Filesize

          1.2MB

          MD5

          83a75670dc0fd400e5bbc6596c96a9b4

          SHA1

          731ec1c78065dd6faaee7b72e12f28876358b2f8

          SHA256

          2ea6c243ea06882e1769d079aaf52a2bb448e5906b0251a5d14b458a156b3cc8

          SHA512

          30a4915d565e03f804f75519bad17188bc4040c95ba81f3c31f56758f5eac43bbb49e0afc53429515fd839b48c8a5503a0aa7440a559f82b64c4b61bfde2387e

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          1cc6cce685476a635c25db87adeb39da

          SHA1

          09c4b6edd9bb73ff78c9c9ac4e7c8080da67f391

          SHA256

          40ae28ba98c6cfeee0147ac96359bb77042955e28a8076b517518fad379ef394

          SHA512

          88a61b6cd5e83369969a59e0d3c3991ef7b7b71e86f85ab8556f86cbe17da645806aaead054401b3497ad7cf772c2536d09d433fd622ac4df8f5eb34fc1ff576

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          ad2ede0ebd937429894e0be5e400a5b6

          SHA1

          4de246059890aac867acad1a5eac2735f700132e

          SHA256

          5f4e90886b4d6b2280664a439237a3ae7243992ebc28ef04e86c5a7a051190bc

          SHA512

          db6ad3649a0c57e0fe8e19ce97f781dbdc2b9e35c81ea1d2d74884d292604d927d4a3ff71425fac33bb3608a39b5a4749904922b7dfc99194825345f4beb9540

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          125371f96e293ef35095b7bef90c5b2d

          SHA1

          b68e748bec205987866cdc89ab7a3da76e20472e

          SHA256

          ac813cceba324868ca6bdcfc024fb9879f2711a4ad5943e37a5aea1a154c9e11

          SHA512

          e7f5592f66e4555d02614eb72d2c13a30d1cbb06987ac29025bc6593f5ceb7d43f34f46c7601d4adf2434e31f89b8631e69ec7c0006dd0dc318809c2d618029f