Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:54

General

  • Target

    2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe

  • Size

    2.6MB

  • MD5

    de42ddd0cfaaf5429e5c4f361a97aefe

  • SHA1

    87a201560bb2688b45f89ef1563899d7e97649bc

  • SHA256

    2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a

  • SHA512

    4e3d21c7b2fbc49dfae38f3f72a770faa265c73468b10a00b8732fb937287fbd101a0b5b0cce7a19ed64e7205693538b66ff14a6f57c2e0565b266b019d5789d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSG:sxX7QnxrloE5dpUpzbH

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe
    "C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2716
    • C:\Adobe4Q\xdobloc.exe
      C:\Adobe4Q\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe4Q\xdobloc.exe

    Filesize

    2.6MB

    MD5

    3e5523ab2df6156c90e4f3f0bb84e1c0

    SHA1

    8885021008b119f6a17fc817320fca3bd45ece9c

    SHA256

    3027099fb3fae256d1ad8c916b253f88fde3d107057cfa2ac674a595a529e4d8

    SHA512

    3cabb60cc74ee1f7ecb8dc4167965514a4d72dbb5e376385736f6873bd86c5ea9da821fe79d9ae9b41929fa200b0c99652d1a4a1d4b07ca047486fdeb3eb5d81

  • C:\LabZHP\bodaec.exe

    Filesize

    2.1MB

    MD5

    86377bd8c5909830c0e98079420c9876

    SHA1

    83104f268671b4f26978f7cbd4b73e50c8573a3f

    SHA256

    4f9fb3eb84276ebd74ee9dceee4402a06e5a9eeb7c40194cd214710fc4e426db

    SHA512

    12032b96a1c9cf59eb03af13f6ceebf60f06efd44af1529e0cfbb5de3828adf123cbac551b879229113bf4d3c50fccc27bbef4694ea68d29bcb9f16c2da8a443

  • C:\LabZHP\bodaec.exe

    Filesize

    2.6MB

    MD5

    b141eb981c5764914cb73b3fbf553710

    SHA1

    8e86a1ae2f0d5ce2ad3f1b1288e4ff99fdda0467

    SHA256

    dbfaf9d88416ade5bc02c7cbab360cbecad52705faf5d877d3d9ef52c140fb75

    SHA512

    3b5396b63291a79680e06d1ae531fca59c073a96541e5bb462198ef09af0a8f61d4dffd380ddccfbdd8efdfbea2a0a5de12883fd101ab9b0355b893dd9a6ab17

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    4b582fbb28a479608e8be68bdec97a7f

    SHA1

    da116f16c2d24c63be2a0a040444f9ed42115559

    SHA256

    f9300a24dacde446f7ea7480be488825d15c1738e4688cc5d3d87a4e5f833356

    SHA512

    5a22815fc448f81285962740cab1ad72e73a9db39ebb1369469fa1214a6df6707c664c21a4d59c50985e12eec59e3d988cd383240915393731648c99616a6129

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    08b07645d48a0cb700fbf6117f1bb989

    SHA1

    b83db46de1dbb4a3ed1d571dc16d84247ea2be17

    SHA256

    ba86b4c4e5d4ce05e44354309d1ed31c0ae724682a161856310fb399a20422a4

    SHA512

    b014aaedc0444c0b2d13022dcf8881f5042bdda434768a02b6c440472aabac30139642cc50b2a1722b89838de65d88ae710fb8f13ee243c5aec0f128d22dcb62

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    8aeaa476dff1b058d2a6f3f82b5423a3

    SHA1

    73962357c1162f68e8481f4e68f078bed751fdaa

    SHA256

    b7e4e1dfa63a16b372fb313e4415124ac7604be3a0c37e958ce07a6b8865135b

    SHA512

    be6f3a6d527983510b63b3db3cc08da112179ed2855f66be4fb2a3505ad660bd95f85cf5de4b3c42b83eddfa43ebe25ea1ccebe644353def873f44dba51f967a