Analysis

  • max time kernel
    120s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:16

General

  • Target

    cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe

  • Size

    2.6MB

  • MD5

    1cc9f4da809ff5ede1c260a2d8bf1ab0

  • SHA1

    2da2e9db9ee914d0a323c218a890a8e9b52c7d0f

  • SHA256

    cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01

  • SHA512

    5946e6509a71957fb7764745f7a5fed2d60e652ff3dbe3eb8709c833705c66e8c2cac5e037d5c248950e4bf4e265d813a4aab3092501d63d1899cde722d13399

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSq:sxX7QnxrloE5dpUpfbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
    "C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4948
    • C:\UserDotGM\xoptiec.exe
      C:\UserDotGM\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3852

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ6P\bodaloc.exe

          Filesize

          1.3MB

          MD5

          07fe53e036adad9d34e2e66b1f28c1a9

          SHA1

          d0b6a82cf7d05776a8ca2edd1d4f04c79be1297f

          SHA256

          5578cbdc067a67fea314675b8a46857b112635cc47faad7fe7281fbbb601c5e1

          SHA512

          5b5eab820e58b7f0660b15e4425aa10b9cd63f34a6ca4364a17a0f8c39556f0dede10c6fe2276a71b97bdae20752ffacd2df7f829bec851efddb1a4bc6256f26

        • C:\LabZ6P\bodaloc.exe

          Filesize

          2.6MB

          MD5

          d97523eb37cc9b1fd31db187689fb578

          SHA1

          2daff9958151e843bf2d4c925e9ae4703ddc319d

          SHA256

          b336785dc65f3cc904e243aca411ea2660ee63cba53aca3ebb2797fee4fea410

          SHA512

          cca378c10ddac19b9ecb1c630e635b3475f80738e862473a74092de6df06aca55bdcded24c427c0b7f7b9815e9c9019ddb63ef5efad8d44ea15acb470b22a0c1

        • C:\UserDotGM\xoptiec.exe

          Filesize

          2.6MB

          MD5

          523a370865f0b1be7f45e3ba0c0089db

          SHA1

          fc4b2d372f01505a1f7b56b7951a4c2ac4303673

          SHA256

          f1e3022d02d52847f4508b69c4b5b0f427b0e723b48edcc367f30b7923be5647

          SHA512

          fa670c94f1cf6aa534f87821df3aeff7f9c9eef8fac5aad5ed583b38f4df91feaf00389c3954d18ead07d04734c9d78bb7668cbc518b16d2a26d73990905edb2

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          6f6c2cd458413ab1f676197c4edba2af

          SHA1

          81a206308a3271a19affab3b43f60378a14cbabd

          SHA256

          b1c0d20fec10f8d1856dd8fdc2aac263ae0c40f09a05f19b3cb394ba2831846f

          SHA512

          f07c272b3c073c5594c9759dc530641ae2e613ccddb43c86cc013c4c44fe02620be813b8f0bd6de73c07849359f4cc99f5cdd7b17593f0edabecf638b2483627

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          0f490545dcc0116e13e59c42cfe70fc9

          SHA1

          b95f29a24ded5214565ce70573f9175c9698a91f

          SHA256

          4329d3a3ad95ded40bdc3aee9a0c0c3c2db827374aa67512a9f07cde8048b828

          SHA512

          6c356ee407ccf3b77f6656d922885f315cde56418dbc12673727a85eacae9b937f1bf8bf9f8eee0a7da9e7f4ff17dd5a78fa869a204de945cc2bfdb6cdfc81b3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          9b04c8dd2af9ca806fd615b7f4b82882

          SHA1

          720a1c3839766138592aa869af5d2188345292fd

          SHA256

          d7125edaf76f06f8c4a78b5460950cfc0f48995ab7f6303965fde310aa268e25

          SHA512

          e954aefb6e9a3036457a3c2228a88ba3fa7eabad7ae4a777b6a371bab1f69e324697b9c8ce7adafd3e13a583b6f4340be27c8fe00ee9f595872ccb0cca0ed651