Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:52

General

  • Target

    88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe

  • Size

    2.6MB

  • MD5

    49333303d89ee476bb4c0530413e26f0

  • SHA1

    20e7e5e65bf92a7566f733c9b1abf5253e56bcf9

  • SHA256

    88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109

  • SHA512

    1befd8176f259a8bf390c0901a26ee350b046877318cc626e1c82e3a03eb2745d867f3d64b3450d7ac391b8f834d6e32ee3d680081c677ac6c6f15a246827601

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq:sxX7QnxrloE5dpUpUbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe
    "C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2552
    • C:\SysDrv4T\abodloc.exe
      C:\SysDrv4T\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrv4T\abodloc.exe

    Filesize

    2.6MB

    MD5

    a6b70624db72357bc7f2753e3f4c895f

    SHA1

    297e4c3986d53aeea385f299c352131ff6ed64d3

    SHA256

    2b8c8b8dcb5c5170ad0988131774b5a23bfe3016f4cf1522686b88f7138ba65d

    SHA512

    24b53f7fa3a2a4268b68f6391c9c11953b4c1e906afdef3c1b4a98968ea0eff2f02701f3851fb5d363d8d1320b1eecf4fcfa3edc9fb359ffc1109611fcbfa51d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    f89f6efbbfa7a8e2dc21c781f72c59c2

    SHA1

    50de7d6feb87c66dd53d97eba97e179c6b8ffaa7

    SHA256

    dbda1a9673975c515e599dfe9e60fc7133a2c4d04aa28aee011f6d8588027d96

    SHA512

    42aedb72083eb0382829eab199628817a359c16a95fe5431edce99039edf753ca817ff80ff679376bd3131a64a239c9521691363fd2d04701c900b5793029978

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    a13c89395d2437687795fb42fe2dd089

    SHA1

    b3373bee8de2c71b2569c5fce8f0d55aaa6acf9f

    SHA256

    c12c46958996c19a8e9d56d3bbfc305ef4f1d7cfc3ff104ed6e5c07b57dcc445

    SHA512

    79b88aa43d099204375ce8c083c44e6b9fb5b54c2254b22bc15e4fa277a2b8aa7207e21b6df1e9d0dc4cafc77c5bf56d94c22eda3263e095806fdb5a71b67281

  • C:\VidFG\bodxloc.exe

    Filesize

    2.6MB

    MD5

    68b3c5bb08141c9475075002142f6c4c

    SHA1

    15324ee1ea079363f5ee1d2db87c07e9be05fe7a

    SHA256

    82fe3cf5891275833a4c26394b47f595df69fb73a3b45d41fa16d99dd5002177

    SHA512

    07b6b5e4050eb0d0971406f02d12c7185f164244d7ae212a73ce2e367ac247faf3243d558dbe7eb76b203fcedffff17cfb05d8a04bdd53aa9a7cf0e99dec39a4

  • C:\VidFG\bodxloc.exe

    Filesize

    2.6MB

    MD5

    eaa87037017d3173f95e7dc71ea5c998

    SHA1

    d30452b5f25962e9558d547277cfae8170ec54dc

    SHA256

    996498e5c16dee0540c8dc2a8081653201b8298580acfd34ab6bfe0cd8bc6538

    SHA512

    22031c3d38275b7ce3ae07d262e870d36f5f4ede1e3b135b9c00a357a25a96939ecb0d047012eabf514cdf1619c0d6d43de582543de2e3cd1dc04b920be78a32

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    fb0e91eb5ffa25b47b302ab073cfc18e

    SHA1

    9a786ac9d12afde29e7db803bfa7ffd113076341

    SHA256

    a2ebcfcdf9afddf00a0dde56740fabef8fc8779f8ae0a121281ec2e20c27c851

    SHA512

    321158a69ff6aa3d9fd05cd24b14ca069e5b22e6b262ba48004e93bdb6e53232d4caaac54cb1376250c9e0c59ea581186257d91b780cbd2360ba251b0dc60759