Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:42

General

  • Target

    e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe

  • Size

    2.6MB

  • MD5

    f7c91568e0ad74851e94df6c04f44f80

  • SHA1

    ffc774105161917f47d12b6a9013ca3bc26e1f86

  • SHA256

    e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352

  • SHA512

    f8c0ea51c48762f4eb5681b0dd203b621e61d442f13f14084c5a50bff3901a3c0e4472ae88ed615b2291f47707fbbabadb3270faaff5a25ba0a8e49ed1cc0568

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpob

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
    "C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1048
    • C:\Files0K\xbodloc.exe
      C:\Files0K\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files0K\xbodloc.exe

    Filesize

    2.6MB

    MD5

    1a84319efbcc2411a83433a97cbf94b9

    SHA1

    ca48340030c0140632c2b600ffa9b017505a4118

    SHA256

    1d1eeca6f7a7b91686eef75f9fd0ea5bb2d879f9226b70c5e54041569e8f7713

    SHA512

    c2406a92d0f6d77cba79329cd3de7eb3f34180812e1435fe63b1ce29430f679c31f2e1f0d1affb1e5bb8169daab1845c4a3bd1c34f79bed903cba5121f90de09

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    55abfb73f88f00f8484bfc7fdc4f927a

    SHA1

    486bf23deceac14ea27896a5741aca302c77ee48

    SHA256

    2e97712022dae969814d022183d0fc69ff090064eb2e8d0cff7b9b9b0dc0f574

    SHA512

    9e782333c3fc80b2560a48a7732719ea1be95ed1ac892c4d555dbeb7ff0c422900109108f9813e558881a95c6e192fef6b21f99d97ae574d76e531eff61be1b4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    d0555bd51218fa73b9b70b9968430965

    SHA1

    a7c83dd3d8f00854d5824ac35909aba5f56359e2

    SHA256

    2558d6be60a2f9e431c335d77cee55d2364d00451bc46140fa5306bd3550e2d2

    SHA512

    72718235800c2d0aeeabc119e6cbe1e7d579dc359fa6b3d3dd77ddc7b6e465a4c3af78e120820c2e2d4808736e60fc88e038e49166de54076933d9287ef9ff53

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    140d47b2025034deadb15a30d69ca833

    SHA1

    85b7edb780a9b21a0689b436f9b617e40c129cde

    SHA256

    c2557c032d7522350d35e87a58e91fffbe4dba1ad3d2da4b51d5f73adbbba004

    SHA512

    b756a13c38efebb38018b192e3a55fdaa9f9d33aa7e35395affec25c71c702affb229c3d97a09042e3450889ae3a3847f6d7cf28da60e88485a5293a1ff9681c

  • C:\VidAC\boddevec.exe

    Filesize

    2.6MB

    MD5

    1cf901b195a1379f2072d593c4493a43

    SHA1

    86b1a05fc7db62211e984d172f92a7c4f32ab442

    SHA256

    3d52e7bc0bc4f8ff13db145f916000655626046a3f08ed385bcd51f41324710b

    SHA512

    685785d98f6ca9ca9db71f03038554ae82202d6191f5ec7e15b4cdc282ff83dc603677f48390116a8ca031ef11222b0f062fb7fcd0a2bd13222562f6774917e9

  • C:\VidAC\boddevec.exe

    Filesize

    2.6MB

    MD5

    1519c29f81a2d882266b0cb2fc08c6ef

    SHA1

    b0ea222619b2b6c3014b8fad8c91e6390fc700a7

    SHA256

    2ec36c1f9fafa5616d4181f2813942079341183fcc0f429595577437979d6c60

    SHA512

    f4b76c8600eb13c361989135e23b195d09b85fa67057252b1c87b7844af0853dc400687f96306963bcfc6e8cf5fc4c2401650b8d7f38d182e6813a58b7354297