Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:41

General

  • Target

    a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe

  • Size

    2.6MB

  • MD5

    25fcd43dd13be01b88d95f3006bf36a0

  • SHA1

    3c04d3af5a3fac3da76780e3d5e86e235987e2a8

  • SHA256

    a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14dd

  • SHA512

    8407df9422abc63a2f5ec47208593a27be276a3ba6cea634dbb2312544164ece7f6d78735bbf37ec27feea6e951814d9df15dc4f5f36c413d08086cb3704e7e0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
    "C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:684
    • C:\IntelprocLI\xdobec.exe
      C:\IntelprocLI\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocLI\xdobec.exe

    Filesize

    1.9MB

    MD5

    557588b5982ee60422bc38138d315908

    SHA1

    56e17e352888d7664301e1a19cef84c1824f544b

    SHA256

    a24a0dbdd0e80f6fa5a4b036401e1178f14a68dfb500fdee8a3c122edb7a1d80

    SHA512

    36853caafbe507895b1844d78762792758ed5a891216db3c9bbce7e094364eb04a6b0eb3e6c3cab2bf1a055a04e863d194a089908e1607395ecea28678ba80f7

  • C:\KaVB3Z\bodasys.exe

    Filesize

    2.6MB

    MD5

    6e11cb30f62f8cd386d00255c50be71a

    SHA1

    4aeb45cfa182f2b4015b98e191d3114809dacc9f

    SHA256

    3daa3251b19d6ee25450bda1d842f008eb1ac38893b643c10cf05e9424beff07

    SHA512

    d295e101225e7d5d78e3a71b144dd7827446e714924c08b63765cfc17b94876c5d62a4ff8f29b764fbbc83f9d73bf44d592548dbeb0aac43e016122a5ab46b3a

  • C:\KaVB3Z\bodasys.exe

    Filesize

    60KB

    MD5

    0adfdacc3885e032eb1fd49992ceffc4

    SHA1

    73ed7fc873d51ca8524a6b3a295ad5b0528e31c0

    SHA256

    ff47550d7958eb05d4bde24a1bac7be0f99f4f7afd0da28cf157ae62d7098fcb

    SHA512

    d1482a2a567e9aa4828d8323e0981ca2b58bd898cbd4d57f78296b038e4fe8014ed05ee6ae7f9c54fa0981b775f1dd8e5288cccb35b96e3d4937e49591989d6b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    f348bc501f1a74f403647395d8d0d766

    SHA1

    3af0aa7f929fabbfe1bd396fd69afd58077bbce7

    SHA256

    d17049dd81e4bcc75170d68963de970fbce45e5c58e09909f71cf590828c041d

    SHA512

    31e61a1a9094658e35f1ae375a81ad6ff83ab9d16ba9c8c63fe898f88680ce665017ec2fc37ae25f2dc1fb204e6d78ce19d86125d0ebecb5c36b1f71af466b78

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    03705cd718d63952b0c073dc88eaf4fe

    SHA1

    5b53fedcdd7a4ccacd680348f76cdde66bc1876c

    SHA256

    6bf99004847ef8435734b1953bce8ce4c9d2b4cb338885ebe7089509745c4aae

    SHA512

    de4b860353690cc080c6da16d3307a8f852d3167f4c31b200b03ca36b3c1aa4d51c02e14c0a6375301066835a0c7c46f09beae40d307259eabaa7bccd3605ec9

  • \IntelprocLI\xdobec.exe

    Filesize

    2.6MB

    MD5

    dbda7c25d2b3c11c3a43f3c8e4fb230b

    SHA1

    9e8f2deb40266be77ea745d41043f321565d4525

    SHA256

    0352b8fce892371eda02a0fc036093d8f7454aa26b636561f6c60a2213775c51

    SHA512

    4f2ff8441965c6475552e2871f049c428658b735604a860437cfc4e297e241b2f7100beb296c302b1bb93d7c8d3e8db2ea6ad164a8ce98ca75493b872ff13f06

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    33ea9f07e29dfeb60bcdb963064094a7

    SHA1

    793603c48ff6e6781324d69a971019d835a54702

    SHA256

    f82f429e3cfc207f56add276db41bcc26cadbc055eee6e58637922d287827a5d

    SHA512

    616c8a65a349e84520b585d245c6af0097d6db3175a4813ee8e80b2c13e4b0bd257b5982d23190c81c21d5d8edee72b4af1e94b2585fa32a6a89470aec22ca5b