Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:02

General

  • Target

    fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe

  • Size

    2.6MB

  • MD5

    a954123375b68224644745c7d4caf4f9

  • SHA1

    ad91f8c88f9414ce194d49898df6286671e14eed

  • SHA256

    fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30

  • SHA512

    9a1cde7ae63c7dbecde7b5c9150ce88074cec75980ad76c266a28e610e84ecaf3bbe02ff6ef2e7217ef61fdab126b005acc68b7f686b09836ef35cee218af648

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqX:sxX7QnxrloE5dpUpIbVX

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
    "C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4180
    • C:\IntelprocAC\devbodsys.exe
      C:\IntelprocAC\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4824

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocAC\devbodsys.exe

          Filesize

          166KB

          MD5

          59a48ce5a74f8c922ed04e5f9065512a

          SHA1

          4edca80fba593207101ea059e3f114254b57a0bb

          SHA256

          a6325b8bbfcd9316f91ce21f6813e168d329c64b9bdb53cb12f7579d1114ce73

          SHA512

          795d81469ead76b3440276e99f749f6c01516877fd851bf1cbaff36aef76278f98cc2eeb831fcbbaa4a6c0d7af359f378de068acece5024a8f57541cc48f0b5c

        • C:\IntelprocAC\devbodsys.exe

          Filesize

          2.6MB

          MD5

          0455232c5f9f9f72ab1b7c358cf2b952

          SHA1

          9f8eebf483495941b81df84038de58827f979704

          SHA256

          2f301e3de255f4cbae139d3b49c73b148d78d8c89b901112f1e13ad8c47796ee

          SHA512

          bd7630f845f46165e33b17b9c04ac06cc82db70e79c0ab4f0e1612f174e2bf89cad666b6c9f6b0c6f572c7e6892fa70d9e23017d8956f4ac7f3a906298af9c00

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          875e764c94eaed6310810a1d24036e94

          SHA1

          2557544ec6861445d815640da6212dc140d6dff3

          SHA256

          0fd81a2a395fa7756a52e6d5ccc666c94f6ce1248a6c537993cc43c22a20c793

          SHA512

          cad4697cd2485d2f322a30dbdcc98a67d126031283903b329064e9d5769c558c7220fe1a3ffc144060a21722b1fcd5526c477d008f4f370793406062f6847b93

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          93e70b7e92487ac930f2b9f73db812e4

          SHA1

          b5a67cd09f64650c268a7ff24a7386d5e10c4653

          SHA256

          7762d8f936f20e4791e7243c2530cd913ee4c81e3aa87a174e70cf46ccb3d796

          SHA512

          b8972e3d1a15ec49c4c7dd40f70099558b4c6c6169f7622d3c486cfe555a5d5e9c657ccf73f8c0f9be0297fb3c80007f650632000d654250d1bb46a35389052c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          a63b66e74e8e27ab591d281e4bb7db59

          SHA1

          28db36803db6dbb558efefaded94a97305857e88

          SHA256

          f491697680f4cca7ee5f369aab3f3a045f04884f34dcd1e8bbd62d20c0465e33

          SHA512

          9ffd68aa70cd52b4edd1edd48a1db423985a131f2a54d75fa0bd89d05b087a2374046b21464757749927df0947744d74b82f3cc845a8ff350a770ec76187a11a

        • C:\VidAM\bodxloc.exe

          Filesize

          1.6MB

          MD5

          6c29ec948cb7cc49beeacd44edc7ba5f

          SHA1

          3f8fca2e9b5b524f47534978205bf11999d820c9

          SHA256

          cd7177727a4301dc97e033166992404a9a43f7d190e00bfdd55a218f6ad3e5b9

          SHA512

          262f29baf7cbd523aebff3f4b306df7ec1a227a93fe1d8d79b44d56c20c6a4b54b46346c65ed0f9d448af2f70dc3f830bce322289f015bb4b11b2ea0350a9330

        • C:\VidAM\bodxloc.exe

          Filesize

          28KB

          MD5

          d405a6e6ec1ee7e8bde0fa127d94f818

          SHA1

          3a4fc1b8659a42c0c87e2cb68df493ef10520626

          SHA256

          f7769493a434bb396a726643dfcddb3d418728f3d2de4d39bc5a2304e2078ec1

          SHA512

          0db30b1f330437d858e2a4f9ab32ec3ac5e2b5fdf0605b6a0bd6f7bd3b17f31a4967bac0fd7b59c07caf47c5cd0bc0b3e81597652c08a98bf5f1913674124529