Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:51

General

  • Target

    778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe

  • Size

    2.6MB

  • MD5

    f24829d54377deba94bd4b8fde70b726

  • SHA1

    cdbc61b458a50d33cb68270e9b077a0a0af70fc4

  • SHA256

    778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb

  • SHA512

    4e644377691dba3b04413d3c35a1801aa207bc45cf1c04efa9971786541fd5a6629d332d2d230b16b1318d6ba49863bf21f85741767665240e8cd1f6a741adfa

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSi:sxX7QnxrloE5dpUpMbl

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
    "C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3112
    • C:\IntelprocC6\devbodec.exe
      C:\IntelprocC6\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocC6\devbodec.exe

    Filesize

    2.6MB

    MD5

    ba90945c50dc76629b19a2d3736c46be

    SHA1

    23916a68c2708b157c8f45bd791d53fcbf528bbb

    SHA256

    5c734b18e6a604d0ffc61ac3d4e729013e576db11cd3afb3f37f29c89cb85552

    SHA512

    4cca798af1519e8f14d4dde5f8c792665132be6f052a75c52daec3d40375c95da8ca91d5da5b91fe378c1db1a35bfb6cffdfc7020ef076723ab9c28c4aea11f1

  • C:\KaVB2S\optidevloc.exe

    Filesize

    256B

    MD5

    bae5eb085a9f023b8d36e2a083933bdd

    SHA1

    c8f3b383d6ce74e8606027a03db4b0ae08c513b1

    SHA256

    b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab

    SHA512

    93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3

  • C:\KaVB2S\optidevloc.exe

    Filesize

    202KB

    MD5

    4503f43350c98c8ae658355212079b8e

    SHA1

    86a7c7b6166b332571b70f2c7968ccd7041910ad

    SHA256

    d3ef657c1718994cb918dfe420c88ca1b61057911ac87c1c6259f4b6c7efd3d5

    SHA512

    429556b723819c1abb3db86673b150b85b621667926e1510e8ace318e36bf638cf4531a27c8a9a224e1acc8279e94e041f50e88c9b5b824c6bb8f7dabcaa6307

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    208B

    MD5

    9f22aaa0f43d47cf3e91fd643d4e6b60

    SHA1

    ee688f0699c2ee569074c443bc9ab9f9b7e21a78

    SHA256

    e17ea0e1dbf000af8477d8d9ff80633c1312207c8272f103845dd012df772349

    SHA512

    1d26fe7954b2d8efc5b465cc25f823b03818fe10cebfcd3af95d644a5b78bd5be2c8de1c0f2e9065594fd5d99c2d2c8c71b570dfd56825527f699e9f2c08fa0b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    176B

    MD5

    7c97a222141cfe806981508621c31d23

    SHA1

    2a4ada46e919b83cf01e2cc92d9c93ead6748c0d

    SHA256

    8cb9339849b15b433e7a0b987657ca000781a84520cabdfddb5a4d41569b091c

    SHA512

    9a0acf843fad85fd09ae54f8a793ec395b13730293eeb8972e41ae9f550a887d081bd20fe0ebeb002d17571571f4711b277fee308ee2424dc6b28099789746a7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    25575e7168bc8168a14f556a89928e56

    SHA1

    19dd3ff4588c0b4f07dcdead51612798695e613c

    SHA256

    2445ed3fc264b0ad40cc03fa7aa05239d3211d1763879d67855e4f7e4d95f5a9

    SHA512

    cd58a26082f76ee3808e4230c2620523afba86f75b4421d6942899d888e922d539755c7dff605d2578242a112eb0dcd0f6002ba9403bfe48cd1198395a93652c