Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:12

General

  • Target

    115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe

  • Size

    2.6MB

  • MD5

    91397eb0bd491a98eb0795ce5c163560

  • SHA1

    9b8469b8fdbee493794ebedad56624b12326247c

  • SHA256

    115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1

  • SHA512

    a8c0aa910ed70c9c91467796fe763c9cae7a7509a400d82d11df7e5c7ab40d6ca19c7e4e06d7ca107ab4e3b2c7562b72573d1d1ef0e2874473aed14197f2a154

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe
    "C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
    • C:\IntelprocPK\aoptiloc.exe
      C:\IntelprocPK\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocPK\aoptiloc.exe

    Filesize

    2.6MB

    MD5

    8418e7872f56e67f281f8855ab4f8d50

    SHA1

    c8650c8a07fc64a4a7328e0df4810dc004665056

    SHA256

    61c42d4e289e67ad3a365cd4351b6b952161b57f526c97613acc936a1ae5e0c6

    SHA512

    3f2b029c276792ab19eeee0b7cb4b0fa57c8bf6d5aae2559483daae8e65282ac5bd91152f3b2c29b506ce48557689886f851c180b04d7838aa3067bcf7864e77

  • C:\LabZN4\bodaec.exe

    Filesize

    438KB

    MD5

    308c8e2306894ff6b6b95c96afcda07f

    SHA1

    6d903f7f6384f97acde776bfaba4e07030abf043

    SHA256

    5f77870e2da0c0758b4377a54520b264b44d09bfe1a2961a7f0ea65551111ea5

    SHA512

    5a2a7789b6a0373ebdc0566a6a3935ef236a8c39f5b3f1670f779059acd9873363960ba9e3d062d5a4a7a2d69418aba58e2d1bb5f0c42a81ad3de3f4b8e93c78

  • C:\LabZN4\bodaec.exe

    Filesize

    2.6MB

    MD5

    ac0b505286c85e4b3220f1791dca2104

    SHA1

    25d39413719379b7873052e9d4093d0cfd7fded9

    SHA256

    5523d904fe4c6c07242e43b5864b26e767b7b8a610c19d76d80cd20cc35dad0f

    SHA512

    63eb1012e2fc32e359ccaed49555fcddb069433bd96c6c7095f3e06f902ed0b3097ef73847276218ab8fdbe4d6b1073a570df6a04351a89ac3c28aef766d3101

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    45d46f5d38931c01ae1ec0170e98d845

    SHA1

    aab578e7396a63f47d2ee64a3897025c76664f7a

    SHA256

    1f207737b2e9f6b662ad5c527741a91b4c228c57901e55ceea78ae7a29982653

    SHA512

    a31b7796c3eab7400c440f0fbdedb6d4ebf358ae52bebca9a557a8c8a8481341b098a3830d347834ebcb6eabda3abe45854cd9a6a93a0faab9c8111291665091

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    c6a646a38e4054ed5c2a125639cfb830

    SHA1

    89c47a7bbb49295f9130161c6d65a5bffbfe383b

    SHA256

    4d6a6e2b5794b5c0f3d140643d2f2ab430886d22dc8acd4708e4a44fd14564f8

    SHA512

    0344f8c63a948aadefcd67506125f78f47913560dab802a150ab60b0a8287a8629aae411eec108db468f44704a115038536415ac1bce83df47cbeda295e4454c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

    Filesize

    2.6MB

    MD5

    2e58e8c126bcac6992658fcc8af10391

    SHA1

    7d9441ee6a9c8338dc86faa8fc3cdbeb0e434562

    SHA256

    add6c78dec167dd5b8386245577fcde5292f651f46a275cee79e5465d47f25ea

    SHA512

    9c9ab429342a76cd55641cb5d6ec6b4121303b343ed2d55864e2e5e0353781985f3c598f395b914104fd71fef611094a5afc73869c90319a092ba29c291c98b4