Analysis

  • max time kernel
    120s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:15

General

  • Target

    b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe

  • Size

    2.6MB

  • MD5

    bc4c0a71addfe6f7740b88d9795c86f0

  • SHA1

    f576d9f33c789bc91515a2e5bd44770ad7134d41

  • SHA256

    b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3

  • SHA512

    4f2f047e03ebd4fbc8dd101f8592f7fd887252c39157bc4b9c18db2a7b5ec2a14197a36829d2d3363a6b7b13026b905175574643468148ab656c36321770a355

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpZb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
    "C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3948
    • C:\Intelproc7Z\abodsys.exe
      C:\Intelproc7Z\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc7Z\abodsys.exe

    Filesize

    2.6MB

    MD5

    250db7c6f417c691769ce23d48f0d886

    SHA1

    27933c5dd12d32aabc758a24ed44185141d7495c

    SHA256

    1ed78969f54069a5803df4c5aa2aed55bc3e71afc57fbb03628a9636c3ec6020

    SHA512

    a47136aa2539957d868e8b07afbfc546244c36715750eec8eaf4f46d12f9895a78c79fd4a3e8f7f160144ca25c079013483a43f7fa2f99c10f76e9efc7b16778

  • C:\KaVBUX\bodxec.exe

    Filesize

    2.2MB

    MD5

    b1a65dc6265439b27cf5a228ec888e14

    SHA1

    8d16e64c078beb23e5ea488966097203debf485e

    SHA256

    e372887ba607bed8a4e07f0fad47e293845c33acaf1df155f0ebca0bdd69d866

    SHA512

    07e8707017613d528f7060da43c64ca87b395306c94759977e57c2a36039ca4f5dec5058971778e06a31c2487a0e338c37037a0a45ecc066485932545e6d93b7

  • C:\KaVBUX\bodxec.exe

    Filesize

    2.6MB

    MD5

    b30d44289695511470e4de44dc4f978f

    SHA1

    7296e716ed996f4fd6520db130789344ad3e9962

    SHA256

    f51abcab5b1461ac5114463fc56aa1babe17efe2c6150f51ec64ce18fa9f0b16

    SHA512

    285fcebbf20dd221a1837b64bbe11499dbd2ee95ddd0d91e8dc02837279dc0c95354ce58236236119ef174f97cb2e834a9d9a074c9839abc7915a57e57b3b95d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    b8541d68cd4714b1048cbb39e194b092

    SHA1

    129ddd79233f73e96061c0997166b6d4bac063ab

    SHA256

    c9b2ddc8117c8be0834202a19004cc09e609b09b58d132995e0de61cb423aa7e

    SHA512

    cf00f51c8bd58af7dac4d8aaf4f72bd860523599b3a580581c614228abe4721e7814b92080dfdcfaa4f8a02d4e5b089e18e49557672dbd57c8cfcae26eb5a2e8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    d375844367e3f417ed3d7a15e80eb050

    SHA1

    020e6acb873b7b1556136e720fd6d44b02cb5769

    SHA256

    d81069b80450fa307fa959ca8164e4ecc9cd3b4c041ee7074fb1fa0292af0295

    SHA512

    37c206f27ea2fbebdca4aa24f21a92e80986c18591d89f0212fe5213d7f8f0420856fe9a12473b26298e40ab525602b2d1291b71a7fc220c32815964216ab2c1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    2.6MB

    MD5

    0f0000172b831455c287c4fc3b93f4aa

    SHA1

    e556774b87aadac4a76a5e2f2e0e7e42d2d759ee

    SHA256

    f2d29313a7b33f7fbd9eb6c3559eae872291b7b607a6b808b7d83840c91df8c7

    SHA512

    de8b45303bf1ae92787ec3f030433e1e14dccfa82231b8f89bc12b46ab854edfa4013f2f83f433e21f050c0fcc5cf826167c0d7a14eed0cf6f56e48bdc92a201