Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:12

General

  • Target

    e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe

  • Size

    2.6MB

  • MD5

    463d1ea4a3d732f379b2bf231d270cd0

  • SHA1

    4a9e8a1be5638eca39edf12778de6f6f628f1cfd

  • SHA256

    e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677

  • SHA512

    2be4f1eedbd979d5af503623ab2256a4ba30895dac59e2efac457db303b411e89e7c9166c8a884841fb6543cdb155a460e28f24b899bb758c37d49ef843c3fb1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpOb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
    "C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4440
    • C:\IntelprocOK\devbodec.exe
      C:\IntelprocOK\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4824

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocOK\devbodec.exe

          Filesize

          2.6MB

          MD5

          a08ec3e57b5dae41771b8b3073840297

          SHA1

          2f11b3b8d787d892bb359999a9857b7ec7b3a309

          SHA256

          5fdb8f15fa291474b98795e22259da8e98912bc53b4139ac6dd0fcf392345055

          SHA512

          3c0719ce1220e85721e4c6e03113c59444596d20c58b44e38015c82fdc3ab57bb5b39ae36661743d486cb74dcd14bd7f0113cf1df21a8b91f28c4e92f04470c6

        • C:\LabZGM\bodaec.exe

          Filesize

          2.6MB

          MD5

          98fc73177737cd0c9eff527d66f80916

          SHA1

          f5075e8adbf07a4dafe448ae12751c5872d540e4

          SHA256

          11e715ce373687e20413cada9eb2831f387dcb86acf661cb445dc01b4584164e

          SHA512

          538e3326775ecad9ef561f75af52957f442b671a5dc94d3441abd54052f20a51a6e85acabf0ac4ecdb41c744b823b8fb775b3caa32bd5ee8a95d6f9b35530467

        • C:\LabZGM\bodaec.exe

          Filesize

          2.6MB

          MD5

          9a9b03df5249404e318e6ca55d983c25

          SHA1

          92eab36ffc075efa1ce4c09f1aeb6230a365359e

          SHA256

          fcc037d405ea9ffb2ac196987ddf6839028365bcbe2ee6dce1568ffffcc9c970

          SHA512

          276ad3c43253dda2367f601df1d58c11e0301b5bbb43f95a9dbf6065b1c6118d11ef40278792d7309911b267f644bb4d060c3c13d2ffe28c330b57b254ba0350

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          01537ef5891ecae49de1e717964eee19

          SHA1

          c6fdfd83a365d8d25327df7b7010c847ecc54538

          SHA256

          3b5f9dfe7a0a49edef4de7b109d92d653677a78407b276ad3eedfb5c65beae3b

          SHA512

          254594107d2cd333ac25dd9da59d3fc525d8d0c40e31b270260f6f9663873d79198e4e40e9a31e8b8f9a182aad4ab9bb0ac9d2b143688fc37daafd0c602ec1f9

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          8d2a99b6b462485d40f50bb541140d03

          SHA1

          f6923a6bb17e70e852cd982d5101642a12e65cdd

          SHA256

          42902bdc4b1f4e9980fa383324738cad0e1872d4f1b8693a8f29d6c57aec1c2d

          SHA512

          3a44f46ade1c4be48b3b6150ccdeddf525376ef14720dee9c32f31850729fe68180dac542330d98812b534e45b8e142492f543987093eb8f881eb3b0e186c11e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          2.6MB

          MD5

          4d497d2dbc6590aa554171388efb4d37

          SHA1

          73d6c8c01130353f184ee077b566718788891323

          SHA256

          e0f1fbcd29f959730e37f385749ce2a6deba27f7cc4f7e7588aa915f50012708

          SHA512

          cb039c9e2d5f2ff0d193690fe668b32fcf12c2391463b7e766f72d97e72620f6978a373fd12b2f48643fcfe8c8c5311ddccd08016791b652aab6440ec27717de