Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:57

General

  • Target

    4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe

  • Size

    2.6MB

  • MD5

    6de03fab414e9990d9061dd0ed693020

  • SHA1

    55d0e3b1d8f296d32158205df82ee427cd06bcf4

  • SHA256

    4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7

  • SHA512

    98fe4cb7ea453a279a1df75a5162cfe0802ee52aa82412f98f16ffeb02b47048ae624ead2b88aa382464865b4d16cb2dfd568899396c61cc136720bd3e7a9c15

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSq:sxX7QnxrloE5dpUpFbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
    "C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4264
    • C:\UserDotB5\xdobec.exe
      C:\UserDotB5\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ4W\bodaloc.exe

          Filesize

          93KB

          MD5

          b5c0de4a0aeb209ef138246a7fb84861

          SHA1

          d1d8776f857ca62f150a0ff55e52436c1f0d285e

          SHA256

          53a2e937a09f39809cf6cc39c9c16b6f04c72a56da860d85c5682e9c42221093

          SHA512

          8238641d9edf8d17ca4b133742898b11a31eaac6d0c14fb8b9bcd281980e0e91d247b5a07b0fdbf51312d51d7595a1ea2edc4a7e6a4ec65cbc9474b4dfd896c7

        • C:\LabZ4W\bodaloc.exe

          Filesize

          2.6MB

          MD5

          c5fdb4b9a0515c491c6b5362fe13900d

          SHA1

          41417bc36274c7e90bba38e3ca9c453b55fe41a7

          SHA256

          6f1c709d3a2eb4c7e74d5ce6bc53d92057a6b2e105a779882f63157bef1b22e6

          SHA512

          30906c7bcf7edb03c1830922c695efee6caa321d26cfeef027028f508ff22a08076501889520cfe14e39010766b488374f126d4127ab10d091a7ae4d8dc8fc20

        • C:\UserDotB5\xdobec.exe

          Filesize

          2.6MB

          MD5

          9aa9611efc6843522ae5df48d37410ef

          SHA1

          45ba78ad660eceac178116c3f62a657b5037ce54

          SHA256

          1fff33631ec6692dccc1bcbb29702613e03c3ff95a9bb094c29581210fecf964

          SHA512

          aae57c228b44af99eb737f6d2a9b67b45fe7fcf9fc7d6a1dbf45d4bb8ead94d404c644f6876c85b82f5127a647b752c6c313e9d4ebf439b54acd5036c3597c10

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          e096f89193d31f2f5daea4549f7da64d

          SHA1

          6d8002acfd71dc968921c32b7b48fe832b43a832

          SHA256

          877bdeac6e06a0043c0e0a808a2d25069287f546dce1fb782b93480e25bc6141

          SHA512

          98a9a2c7126d4303444e8d82a6a67b23e7607e116e73281f518c1d5d8a3cfbb0796037f8718e70b7559c8261b35d27939d86ed278e466b1bd2df208d31eb2b04

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          8dd51ed7c0fd42f6ba68db74bb1f8af9

          SHA1

          1339bd2ff1b739b0e136f55201fcb05ae032d8e3

          SHA256

          8f2896a479a10e9a773b7857d8a38880a82a73fdf0719b458ab3208bfec51924

          SHA512

          b4c04af7d2527780af0a5397d0a8772e4488bbf02fb4e88fe4c1c42dad391dc1839e4c67a021519cb98754d8a467112049f061a3aa6b1f992a4d6e3066eceb53

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

          Filesize

          2.6MB

          MD5

          59d5f4a5ba8cdbe8a58480fce0fdd6b8

          SHA1

          949edb9f117c6881fa1f0cd8f66e799b3a12641b

          SHA256

          8723c1868bc6c93e46afe3894308de08a731c7bb82af3ff70cc24eef2ff76ab6

          SHA512

          2cdd5bd9cd8e23ae7a0b5abf3750046651a2ac389a9e9bb5ea163ca0a54950b7eabb847a838ae337bd6cfdd0b7ab6b999810b76bea1147c74ab1765d7cb4d4ed