Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:55

General

  • Target

    148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe

  • Size

    2.6MB

  • MD5

    42e4fee316404e8b073aaa70878e8685

  • SHA1

    d2c60fdbe4c1fedec87905a15bc9b517a4352b1c

  • SHA256

    148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8

  • SHA512

    a7f205f5ca2f9e9d794d0568f7da3d7f956677c7f9ca7a99adc73ed7615dfb16c0ca838d455f3308ccdc898465f1473cfa84dd827a97b3fbcd461117b99ec761

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUpVb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe
    "C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1812
    • C:\Files1M\xbodsys.exe
      C:\Files1M\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files1M\xbodsys.exe

    Filesize

    2.6MB

    MD5

    01fbe305580138137138c2bcde879cda

    SHA1

    3cf8a39fc8a693ece5747e61d3616c16ce507971

    SHA256

    17b0f433370a4125b5411f711013c041d0ff060d0678703f765a30be6068f068

    SHA512

    a15d3271ebe677362fe5a6d517f78b57f06bd38fedd6c2fcc74ce9dc8f685df37aa1b2c79d81884b608b9b295a22ae5e0f036d75e3a7be7ac86b1e09e6d899d2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    27d24ed159c0173bc95bd6a285984ce3

    SHA1

    566356085d6885d5faf01d5d2235f7bb44b21bce

    SHA256

    564584ae4f02e48940e1ba1efd3a612be41a1e941b20822daa2865e0d731af3e

    SHA512

    c41f4fb2cfa4da8c1e4f85da5ca47696b33593c1fb6401b82f7fac045a45131ddbd9aad2c3e55adf19f79edd11f9111d73e285a228228ebf72d64716ac9434f2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    713a7a676c9d40ca56ec429db57221ae

    SHA1

    bc9dcbd563a74377ac382e154f817bb37237f812

    SHA256

    3cf22097f28ab52ac38ce69f6d5209431124e16742b16623b7af23ff1204c8c3

    SHA512

    ad6a2e6bc3f1dd9d3835ef5d7d999639dad371b299b9f265613d2fb3c1dc43f4eb31c41402fd4cd23e5182e889f80c3a9c1d6f1a21a0eac082acc2cab37d87cd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    711c9cebb25cc4de314b5541bffc7762

    SHA1

    7b4bb6853ed540168288954956ad9e64aef55165

    SHA256

    13160e61bf22de75827cb46394c28969eee91246774f6c80038c8455735d2d5a

    SHA512

    e6606def8c718aee66d39993d37b94eb0862763d11efb8ae6f22e4dccdedcfd964d4490b9432dc25aa3f1dd127a6781bef2308b00ce1b2024cb899e550882806

  • C:\Vid5A\dobxsys.exe

    Filesize

    2.6MB

    MD5

    aa8e13b481284d1e3b2124447c5f529d

    SHA1

    1afd90a119f584fdb203de26186b14b8572de9e0

    SHA256

    26507de4f7e72ce8c2d43e7804e6757cd3f8a08f341beb66126e853c3719bca2

    SHA512

    291b9a831fc3330e55bd035b6212f57a1a187eeadbabb02feafb64790efef28760bc6252349ed75f23ad75a6ae7ff36c36f81a22043d44d00350061c7b5b9600

  • C:\Vid5A\dobxsys.exe

    Filesize

    2.6MB

    MD5

    438550544a6a512fe820406a770d89d2

    SHA1

    6f14494bb2794922f1c8d50786f344bb38e1f8b2

    SHA256

    6df202435d23f48f330248b8c3501f1c708289a75d001c3169e470d62e527a07

    SHA512

    33d91b66eee14375c65406c2d38419cb6de01b3d22a45b37099f3b4f413f37faf54fd3a19f4a9d6a12d5b2c1e6a438fe63e75b453825b07b13470e687cead69a