Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:07

General

  • Target

    18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe

  • Size

    2.6MB

  • MD5

    c5c77506dd0ff5ad3334e7af84c379d2

  • SHA1

    e333f436c24b53d8a5f09afa8ae4b759c01f1dff

  • SHA256

    18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f

  • SHA512

    a2939bb6f40b1036fdd02e9c683581de21d36422f40f6f53bfffa131ca634078021f8d1cee22ec0349374c4654206071d764ac96d463238548662e6530a1c82e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSq:sxX7QnxrloE5dpUpubV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe
    "C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2364
    • C:\IntelprocYM\xdobec.exe
      C:\IntelprocYM\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxZ5\bodxec.exe

    Filesize

    2.6MB

    MD5

    2a71211d12bddde6ab189f5e04304c4d

    SHA1

    1aa3b8163e1af63234e95f4fbcd8df2be7e28edc

    SHA256

    b8f0bba194fe145acafeb20198f4f50e301265e5afbcaa5c9ff11da0842f6870

    SHA512

    a8f30c4622be8a0139ee924b0bcfdccf0642931e69d2fd99f7b273ff8836ff55f7c6a2783ba24816ed4b06a0fe4de26231aaf55ea6c7568eb0742ea3df1d4144

  • C:\GalaxZ5\bodxec.exe

    Filesize

    2.6MB

    MD5

    eb8ed978f2849c1112128369dfefa6ca

    SHA1

    f6a4520af533ed7e4b9f119a52e747aa9a257360

    SHA256

    d6918d0f153d7c5ee77f006e66fa3252936df51cf50902235114fc12828d3980

    SHA512

    0de984bab7e39672952dfb591eac41349c3d2aee168db9b7c613674a9a8fe6d9af7c2ee2bd559f8de0867bf78f1717abeb0ca89b08d7739d5e0cc7a35a9b412a

  • C:\IntelprocYM\xdobec.exe

    Filesize

    2.6MB

    MD5

    3e824d4ec36e02945c8460f05171631e

    SHA1

    9c8f43cd0c4cdfc14ea607923205bd017123e900

    SHA256

    d1c5a4c0cf53baee1b7adaf5ea6dfebaaf67496e8f7ac6268a3be74427cf654b

    SHA512

    19b9adcd089f065e7529c90e20e682aef7a799bb51a739846e226fda7c4a004c1ccb713161ea06f8d921aba4a07ae22cfe22d20e08bedf48d1f8642381ec420d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    2920dcaadd7096fa13cb8308e5259f94

    SHA1

    aaea344df3107382d5446fa300043589d9f95b69

    SHA256

    d21769806da2138f61c62670e74af66f5f62a03a31d27ccc28a75a67be6e744b

    SHA512

    4eb8494c12b53f26f8d5c9c8d051daf7b0e70b5d99b1bec905b09bb3d39f29647f80396ea89071739ffb1d274fb4cb0eeee6cc1cfd318061e365f2d6deac0f5f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    5ec1dde961c231cf9bf291bd3f5435e0

    SHA1

    7352b3260a1daa59fd6850a6bb674a146f71d191

    SHA256

    feb47e3196c4370a481c0887562598475ab9a32198d2f2ba6df9ac491a995ce7

    SHA512

    9d77cb9d9874a7da91c0ea4e19318ed0c660b57d3a9f82322ef805f191aa1481cad7f7db38cb78463e4a549ce3b8d0dcf5cced5643ab171b48af3a86d08984f8

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    2.6MB

    MD5

    01a17ac131ac262b4f61e16206a214d4

    SHA1

    63a77a216d29ddf65182d85d3a47e15b44101a67

    SHA256

    1c07c62fbe47ebff5fa0cacafaccb417c335b463d953460daeeb2ac5764b5db5

    SHA512

    49ee1693b2db92916b8f20fb77e1b777a4613762ada9abb8c1a84721ce6aedde18d535ea2205c255052805b08eadceb30f18981e19d0f327326c8dabcea31c1b