Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
Resource
win10v2004-20241007-en
General
-
Target
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
-
Size
2.6MB
-
MD5
e7f897e8a95a79d1a4b2924f34737525
-
SHA1
6232974a1ff86e0eae98f18d37b21349408b9b8b
-
SHA256
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd
-
SHA512
f63e54bdbc16063a34c10ac4c3458e03a85002049c792603a71c8e74c9c343efcbf9f3dcbb940ccdf53c8d0e4c6dcab37cb6f6753f5e0f5edb7299cf11adc740
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSi:sxX7QnxrloE5dpUp5bl
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe -
Executes dropped EXE 2 IoCs
pid Process 2244 locdevbod.exe 2936 aoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocS9\\aoptiec.exe" b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYX\\bodxec.exe" b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe 2244 locdevbod.exe 2936 aoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1492 wrote to memory of 2244 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 29 PID 1492 wrote to memory of 2244 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 29 PID 1492 wrote to memory of 2244 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 29 PID 1492 wrote to memory of 2244 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 29 PID 1492 wrote to memory of 2936 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 30 PID 1492 wrote to memory of 2936 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 30 PID 1492 wrote to memory of 2936 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 30 PID 1492 wrote to memory of 2936 1492 b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe"C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2244
-
-
C:\IntelprocS9\aoptiec.exeC:\IntelprocS9\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5be7ee9f7b0f6ee73c6589e6ca578ae1d
SHA1714487c7f225df83838c827ce88d92c442e5dff8
SHA256cabd3f309e107987a7210147b25ffedc5447768d2b2effdbb4f3bf2b15c4caa3
SHA5122ef5d33d7875584433fa99ec1845e6ca3714c32d9a024e667f5568ae257af9c0683c8e0c403044a6f8eeb52ac804f0fc778fb1ffd09c9b219f07ef63b19a7eb3
-
Filesize
18KB
MD535f0309c15d5d1ae5592c565aaabdc80
SHA1fb22b3e296287a8b0a89eefd04c3de714d7747db
SHA25696e5ce9636af06b8f1681a9c17b4e3a65c76f717b0cecd73ca4c81dabaf92b0c
SHA51278b49e3bf6719a976c504a97fbf776e8fefc3c166446406f76f876c7d3afed0315df4a81d89a09e2f99fba09f9c33abe336ffc7d2c4bff9033412f4f49a3499e
-
Filesize
2.6MB
MD5f6e575b767ea0bac0360f0075b4fd2ce
SHA19c356f74b5e23680935600fdaa74f47b3c52934a
SHA256f957cf3c3d3f3fe5aa14bfb38c9cd32bf3b0b5b37f42a29def2024678fe63e56
SHA51251c6bfcb8196e1fcb5a4d94ce2cc7b82a53716da5d6f12392d0bd1e75047c716c71885fbd968ddce13f6ad07f0b3cf6d0eec8391e30228c901a6256c0f77c0b9
-
Filesize
173B
MD5876b4c7664c9208980c121181c0e34de
SHA1dbf6f41e703474abe620d67f44723e7427b7292b
SHA256fd4df50414666392b8484d889ae933c7f2218973db141861fe9dec73d341bd99
SHA5129ba20b1c6bc802d1151807a2812d857907d2bff435f495cac2d3b12c4fd397d8f13eee57fbeb66928ca31e75c32d69b3ab16c48c34e1053c3b2e0ad8190d9256
-
Filesize
205B
MD52e0bed29bbc93ff4fa344e74f58605a6
SHA1a19ad691b4f2982ff8d1096687d99baaab439390
SHA2565fe4a0a9a8224a91e85a66b7df7f833ad7517c930a642b25f844199622b61331
SHA512136754e48b38f1b8ae86cc01be90f343e2eeac4fc60abad98e1f6b5bcae2dd75af739456160cfa322100e459dbf0bd73d95cf5a5ab2f085ed03181994c48d485
-
Filesize
2.6MB
MD5e8658cba037fdcbf2f171e4a728fec0b
SHA11a6125fa00330b6e1f8550dd7c0e870ad5cc5f54
SHA256d2c9fd06736fa8a15bc7b2f6c37cac1796f825d7aeb17824728be1c098ba0041
SHA512c9a7b8a74d42823c55bd4f440f3e64a3d4507cbf54ae5ec105571bfe67e1819ffda3afdfbf2532f5928a5de36f592398cb985a149e800b5d6ebffb478f4c56c9