Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:07

General

  • Target

    17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe

  • Size

    3.1MB

  • MD5

    77a1409ee27e5a0ce31964df8e2bd69b

  • SHA1

    356f89bec6c0d05cbcc6ddc6f505086cc3a5903f

  • SHA256

    17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d

  • SHA512

    cd9058cc3f0301fa9038a2e303831bc17067242d04a35a2e5aa5ecc508911410461f2254548be443d0a7bbba6f8e9e6d5f29e642ec51dc9e6f4557e276a13ec1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqIM:sxX7QnxrloE5dpUpSbVz8eLFc/

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
    "C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2940
    • C:\IntelprocFT\xdobloc.exe
      C:\IntelprocFT\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocFT\xdobloc.exe

    Filesize

    3.1MB

    MD5

    89db457e2ffc5cbb17de8c3cdcf2a613

    SHA1

    a7f80c8646df9bc20227833d0a09acd934594e70

    SHA256

    fd8851833424620967ffec223b6ab828c39de0b8be134a041109bc607a7d49f8

    SHA512

    acea3918f76d669f21b8ffcf4256b56b6675ffe16a4d1a6351e39f3d1b441fa2c86f54b755a945a447bca2b0e4290a44055f3692f63825a304e06cdd66082804

  • C:\MintNC\bodaec.exe

    Filesize

    3.1MB

    MD5

    bf845aa8fed7c334e79467066e5cd0ee

    SHA1

    140def44fac131579f5f4da3463c20b153235186

    SHA256

    7ee55a06d189cb8d1299b582ea21657c46ddb041be44b0ed08c797a8ed24c03e

    SHA512

    b2abf257c59ffa167b2a10925e00220f779c8011052d5e07f569b934d10ad5e54790042f64bf7a7be932d957756f668812ad03c854bf3072482e597a58ad1341

  • C:\MintNC\bodaec.exe

    Filesize

    16KB

    MD5

    7194af4ca8b5784e038c373119d798e5

    SHA1

    9c114add88126c1358d7020ca7697c5b0528ea2d

    SHA256

    f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050

    SHA512

    dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    40878f1230354d0fd041f4f470710fe0

    SHA1

    11aa86d24de207762e1e586688f64e3cadc9d37f

    SHA256

    b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca

    SHA512

    45007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    701dbf1ecd0054eedb47cd021b9cc453

    SHA1

    162423eab564bbff4240251d14f2f0b698529519

    SHA256

    7b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578

    SHA512

    17f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    3.1MB

    MD5

    43fcfa2c72d552e9c05601722a0a718e

    SHA1

    9ab8e32fb1bc89b7967cbf8ca730202a96a07ff7

    SHA256

    a770ee52f4b979eb467e667b24dbae74d8284f9c4ec504c73af3e108abbeb27e

    SHA512

    00c5cf8d2df4fe23f36bcec6024dccd21ebb5fa640e90c6b4339bc632d24707c453bfb9f71a9dd91f0c5b4d7772eb3b3ad7288ddeb8d31817baf75c5c8012043