Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:13

General

  • Target

    18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe

  • Size

    2.6MB

  • MD5

    0dfb70f35e3fa52b28c1b0902dff5080

  • SHA1

    c789c44af04c1c3d92336ad22863074c61ba4e8c

  • SHA256

    18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106

  • SHA512

    fec0fcf56b2d290d9d39d91b5d426c48d5244dc61696b2ffd316c5c426d66ce7e4f19eddcfd9bf51d0a3799bc6b15d8837e54e7d693c984eb4d4aa7e41c3d1d1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUpxbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
    "C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2396
    • C:\FilesKT\xbodsys.exe
      C:\FilesKT\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3080

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesKT\xbodsys.exe

          Filesize

          1.2MB

          MD5

          2f2b29e5d07837de396beeb36cbb07f3

          SHA1

          f9ccbafe7e35183fd3a29f6df1140a2be819f0c5

          SHA256

          309ecff53e870a8916a97d4fdf272b369a770912a55b2f1ce7c3020190c2d882

          SHA512

          07066e32d4d46bee9ae3eac3bbdcb7d1970657a8464f7c946fca0c8a669056738b5b9b8d19b36ba98a5e07ee7f1d5c41377f374c345e16496b2471e973287d2a

        • C:\FilesKT\xbodsys.exe

          Filesize

          2.6MB

          MD5

          e61c6ee467ccf7edf4786023375a9081

          SHA1

          35cc868f5a567f186ce9d1197b535a7086519473

          SHA256

          ac26fdb3ca69a8476434b5206b251548707b2c940c67449410df4b4757ddbe1e

          SHA512

          2342f3e9f89489604a6325f926ce492e2f40f0024f005ffc8976eb7c421ea9e5206d4281040106bfc4ffc4cb5a9fcea381d39a62f5c80e46f211106901fb3cba

        • C:\KaVBEL\boddevloc.exe

          Filesize

          2.3MB

          MD5

          25c9b30b751a52abe4a1d552559e59aa

          SHA1

          de7ff044e0a3995c620287015c8bfab85a86b138

          SHA256

          a73cd4b3b49dae0c19e9f2f5111842932518d39b3c84d02d2299f2b3505e17af

          SHA512

          bd5ce9378cdfb496dbac8fae43faa72b1dd9838ce6160a8ab32bc68165089a99fd06f1e2c22f09c104ad20550ffb5f468dcec41c2aba3383966543775b91d0c0

        • C:\KaVBEL\boddevloc.exe

          Filesize

          2.6MB

          MD5

          9d3900eda9b7deb3442b01f625528836

          SHA1

          975f86a3d7824d17f1bb60ec5f84fe2f92043640

          SHA256

          4dc9f6fb7c9c0380a1fc1d6f52b27aa3e8b10c75358e30b494c9d049db2431a1

          SHA512

          c686fd8769ef882759b83a88714745cdf16239e7fef0920dfb11af6025f289cf8ada5ce7f5a30752c027507f050908e7445098bf5846092901a0f7ea5b1cd435

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          700d96510f323103a6e78882f146bf88

          SHA1

          5292dca087c1497c1717f77bfe25eeb16666d7ff

          SHA256

          535842a763a5f68dd1c196aba1b2d87a1b295fdec5816d8852632e16bcbf13f1

          SHA512

          57ea1c008e6f87252f6f34a77bbaecb8c0b8b7ca8dedd2ee676480884a228a7c0ccb1081ed0218f24cff50f6ae76712a573bcdb5ba137768cbd9b2166dcc6a53

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          62500b816125e48f9f7d11274d9d9bf0

          SHA1

          e76228a32c48a3de792f7070f7b64a8550b58db4

          SHA256

          e2d60cd7c457c602d95c0a893f818d34a0d31b8b74d387b9c84d070996e396e2

          SHA512

          5868ad2991a97731f7ece303a2afdf7a8cab4c667acf0ba386af18dc19fc0a583d9ee1d6ed3fa66ca2dcc38116964d9026b8c92a4aefdf63381c5fe291b824fc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          3adbe7210f464459a40a07a188b0a089

          SHA1

          733b2b5c5f7442f849e0decbc371c16511a6b6b7

          SHA256

          11a74b6f70c63e68bba563106364710fd768b74f88ddb325735e626eff54c0dc

          SHA512

          84930a8e48fa8b9d65d3ef3130df435ec9d9cfaabb01281dfd8a480e46e17bee7bf193ab430e9c999f6e6b69e00d7ab4348becc66fe38830897877d81d050f91