Analysis

  • max time kernel
    119s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:09

General

  • Target

    3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe

  • Size

    2.6MB

  • MD5

    203f4c41eb2e8c69a4d33856f1af0c68

  • SHA1

    ff754d5ed459f7190f466557c2d5be8b6d919890

  • SHA256

    ca5af6f50665a4c1144ceb697f95cfee6eaf1b03a76f21064c36470003d771d6

  • SHA512

    6e88038aeff2497207cf1fdaff0f033eff9f5db5c022668e590ee34ecd3153a8a014cb197c6c2198ba88b8e85fbc286c8aa02f746a71efaacd66db6c2aeb247a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqF:sxX7QnxrloE5dpUpfbVF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe
    "C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4636
    • C:\UserDotIW\xdobec.exe
      C:\UserDotIW\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZLM\boddevec.exe

    Filesize

    1.3MB

    MD5

    edc71393ea857991b959f692211394cc

    SHA1

    c58739ecd6dbd58b503883e8173da967fe0e3c60

    SHA256

    19bdd01583ea0db1065ee3f9313b1ae83b1d827c27ba191c992bd02802a64cac

    SHA512

    8eaf2e70948678238a0f98264d018ff7ce497a0699d92568f6a2220c59a3d56f88b6a4fdc19907e65b033b3aa1fb000823bcf6c899423955dbd5a76445b36de8

  • C:\LabZLM\boddevec.exe

    Filesize

    71KB

    MD5

    b778f2984d61340954f51bd23758bd63

    SHA1

    46ddd67c78e22c022482adcb173afe7c81876387

    SHA256

    b2a36646a0220c6892734d66d4e411165f6407f4e9c047278f4d141be7a00722

    SHA512

    2555f289e51e213806faa1544b8dcc2768ac29a5469ef84ad6e240c1ab3130a542f1beed35a7536183c0b020a7ce54b5ccb43a4b641539107235b81bca4537cc

  • C:\UserDotIW\xdobec.exe

    Filesize

    2.6MB

    MD5

    e1f8d75f1a41ab978480738be4a27ee1

    SHA1

    6927beeecd4b16dc315811a7bf5407d69a9a6bf0

    SHA256

    0a1d71c370f0cf644bd33af8a409ade1eabdf33175acc0c0295d26942ec45a73

    SHA512

    d8932b5dacfbed00215f376f11d2193aeb642a7e670e76b251ed45eb71e10f0c30d1e66e1425d531ed714be52e83e62fe0398c037b8bdb8e542ac1d3736c20ea

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    bc783d705b44889b999137bf5278189e

    SHA1

    32f2d83e70c2168d3e9dc72d7ca6b4272ed163f7

    SHA256

    7e56f496b8367e4caa130f842a5c32f361e9a3737057893bab2a9fb4572279b2

    SHA512

    755c5d1ec32f0a7468e33e45f0cbb84417534e66e0663d7a1ce8f8202e32a5630a405514f0c20f0d4f91eb2db2349d0f0fe1b2ed2040b48a5ffae33e2bf500af

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    39f18f5510fb6cfe6d2099195b43436a

    SHA1

    4b6c8bc46469c66731d3acd030ead0120659b50a

    SHA256

    0a38a41c2661cacfe266bc1f6dc3fdaac1ee6698018420f085c83398ca58822c

    SHA512

    1fdfb7f749d0c80989b6abbd5015b70000b5fe29d83cb686b43ada78aa382a23ac4487485f15365249cc6c11888a436bf5e30f476d8a88ee01bdc2da3ac71186

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    2.6MB

    MD5

    a376742f860268ba51ae459def55e9dd

    SHA1

    71846821276caf2c4727b977b175e6c9171316be

    SHA256

    826a5e143e9fb935433bec19f6bf0f0f725616f4970e0f54be027e3bb7bee7e6

    SHA512

    7911d4997c7da40c0c084c11dff54c834d238b1a3c7c533e63952f18bb34ef1619bbd056579be2dbb47905891f201cd0399137aa6a33708e4c586f9181b55c97