Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:10

General

  • Target

    b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe

  • Size

    2.6MB

  • MD5

    e7f897e8a95a79d1a4b2924f34737525

  • SHA1

    6232974a1ff86e0eae98f18d37b21349408b9b8b

  • SHA256

    b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd

  • SHA512

    f63e54bdbc16063a34c10ac4c3458e03a85002049c792603a71c8e74c9c343efcbf9f3dcbb940ccdf53c8d0e4c6dcab37cb6f6753f5e0f5edb7299cf11adc740

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSi:sxX7QnxrloE5dpUp5bl

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
    "C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2244
    • C:\IntelprocS9\aoptiec.exe
      C:\IntelprocS9\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2936

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocS9\aoptiec.exe

          Filesize

          2.6MB

          MD5

          be7ee9f7b0f6ee73c6589e6ca578ae1d

          SHA1

          714487c7f225df83838c827ce88d92c442e5dff8

          SHA256

          cabd3f309e107987a7210147b25ffedc5447768d2b2effdbb4f3bf2b15c4caa3

          SHA512

          2ef5d33d7875584433fa99ec1845e6ca3714c32d9a024e667f5568ae257af9c0683c8e0c403044a6f8eeb52ac804f0fc778fb1ffd09c9b219f07ef63b19a7eb3

        • C:\KaVBYX\bodxec.exe

          Filesize

          18KB

          MD5

          35f0309c15d5d1ae5592c565aaabdc80

          SHA1

          fb22b3e296287a8b0a89eefd04c3de714d7747db

          SHA256

          96e5ce9636af06b8f1681a9c17b4e3a65c76f717b0cecd73ca4c81dabaf92b0c

          SHA512

          78b49e3bf6719a976c504a97fbf776e8fefc3c166446406f76f876c7d3afed0315df4a81d89a09e2f99fba09f9c33abe336ffc7d2c4bff9033412f4f49a3499e

        • C:\KaVBYX\bodxec.exe

          Filesize

          2.6MB

          MD5

          f6e575b767ea0bac0360f0075b4fd2ce

          SHA1

          9c356f74b5e23680935600fdaa74f47b3c52934a

          SHA256

          f957cf3c3d3f3fe5aa14bfb38c9cd32bf3b0b5b37f42a29def2024678fe63e56

          SHA512

          51c6bfcb8196e1fcb5a4d94ce2cc7b82a53716da5d6f12392d0bd1e75047c716c71885fbd968ddce13f6ad07f0b3cf6d0eec8391e30228c901a6256c0f77c0b9

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          876b4c7664c9208980c121181c0e34de

          SHA1

          dbf6f41e703474abe620d67f44723e7427b7292b

          SHA256

          fd4df50414666392b8484d889ae933c7f2218973db141861fe9dec73d341bd99

          SHA512

          9ba20b1c6bc802d1151807a2812d857907d2bff435f495cac2d3b12c4fd397d8f13eee57fbeb66928ca31e75c32d69b3ab16c48c34e1053c3b2e0ad8190d9256

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          2e0bed29bbc93ff4fa344e74f58605a6

          SHA1

          a19ad691b4f2982ff8d1096687d99baaab439390

          SHA256

          5fe4a0a9a8224a91e85a66b7df7f833ad7517c930a642b25f844199622b61331

          SHA512

          136754e48b38f1b8ae86cc01be90f343e2eeac4fc60abad98e1f6b5bcae2dd75af739456160cfa322100e459dbf0bd73d95cf5a5ab2f085ed03181994c48d485

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

          Filesize

          2.6MB

          MD5

          e8658cba037fdcbf2f171e4a728fec0b

          SHA1

          1a6125fa00330b6e1f8550dd7c0e870ad5cc5f54

          SHA256

          d2c9fd06736fa8a15bc7b2f6c37cac1796f825d7aeb17824728be1c098ba0041

          SHA512

          c9a7b8a74d42823c55bd4f440f3e64a3d4507cbf54ae5ec105571bfe67e1819ffda3afdfbf2532f5928a5de36f592398cb985a149e800b5d6ebffb478f4c56c9