Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:14

General

  • Target

    234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe

  • Size

    3.0MB

  • MD5

    9093c5110a16d657b27769dc999c0ee0

  • SHA1

    510e01898403115261b241c61b013510ee5f8a49

  • SHA256

    234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231

  • SHA512

    14d5141c85dbabc6cb95a49c5a6ec659ad8281e2c6f445afcc11f91daab2b7d6037a4ec8910aafdbb85eb0bf76e09377bbaa6c2e0d3c6400d0d912bb93d0dafd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX:sxX7QnxrloE5dpUpPbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe
    "C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2360
    • C:\UserDotYB\adobloc.exe
      C:\UserDotYB\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBI3\bodaec.exe

    Filesize

    3.0MB

    MD5

    e7fcf630355b6e1277254bea898fc6c6

    SHA1

    9e500fe1ac806b71c48b9a890f43c3f08fc524eb

    SHA256

    99b9c1bbd683d2c9b98f66965f4fcbaccd50f4ea1656fb50b4deaf31f31e77ba

    SHA512

    7cc986b5bc56db5182570b1f603cb8ea9bf5e76fdc30820dec4c68ebb11b5ce38220d3d6a873faea44cc4400912567054a610dfafb07856a574ee8e2519abaaf

  • C:\KaVBI3\bodaec.exe

    Filesize

    14KB

    MD5

    3d45b0eaee6cd60ad4f5568ac16ef258

    SHA1

    d7e11caa9a67cadd55724afe2d1d84adab824cea

    SHA256

    ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243

    SHA512

    2d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b

  • C:\UserDotYB\adobloc.exe

    Filesize

    3.0MB

    MD5

    3badbdad86588fa014582d9b1c54fc37

    SHA1

    778624b922b5b9af0a57cada14b601d80cc749e6

    SHA256

    18ad6a4485f472626b3fe1d7fd02193984b7eb8362e87e15f7052684441efe1a

    SHA512

    7d53292877bd22a562b1780ea8e5b9978d5dab36da2604020504f9d2f77b9806e9d1309790071262152b78480765a1cf257a1ffa348920624d2150e28e993f41

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    3b6667742f7e537e5bca4ba2faa6e571

    SHA1

    a9618d96819e4aebe54bc6efbd82865a22b91bd2

    SHA256

    2d38fcb4934d451a8e439e1c92b9c84edc506ef8422d3cf13612e92351ee514e

    SHA512

    18e7f13ca68d9f3b1305456d9237abed64330ef0e7f86364f855c1302e7275e9a5754cc5bb39557cef04a44bd06d01d36066b7743c42048a51a5d01245830b0f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    a8f0e9b438885314146243af310956cf

    SHA1

    9998b7e85252338332efff871f67089613992ec4

    SHA256

    80740bdae51338f46c4d17123cad94607977e3fe1ff7b36f835a7160dfd2a66c

    SHA512

    2a05841847bb2f53154f6570231cf5420408b08011001a67fe5217fc704fc7df0ae659010e66618aba6b7eff586a9409c75319dd044179d12731dc5c078ae889

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    3.0MB

    MD5

    168a03cd55d85f22486189eeaefd70e5

    SHA1

    60d91eb179beb6d8bb49e6c14e4e4579412c2d2e

    SHA256

    b93ae94b271b89b480e78ab98900f35ad161e8ee86a06fc4416c6353061b66ee

    SHA512

    fad05c88b705404a3b759224872ceb6d9cce557cf3b73301c9da907b69028e5f10aae20326fab1cbad3944b2d79e54e43ad0695d4ac50004ebf47acf7b9dbe63