Analysis

  • max time kernel
    119s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:10

General

  • Target

    b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe

  • Size

    2.6MB

  • MD5

    e7f897e8a95a79d1a4b2924f34737525

  • SHA1

    6232974a1ff86e0eae98f18d37b21349408b9b8b

  • SHA256

    b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd

  • SHA512

    f63e54bdbc16063a34c10ac4c3458e03a85002049c792603a71c8e74c9c343efcbf9f3dcbb940ccdf53c8d0e4c6dcab37cb6f6753f5e0f5edb7299cf11adc740

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSi:sxX7QnxrloE5dpUp5bl

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
    "C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1440
    • C:\SysDrvW6\devbodloc.exe
      C:\SysDrvW6\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3700

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB9V\bodxsys.exe

          Filesize

          1.5MB

          MD5

          be370eadb2d8a1fa776878a357d0ba48

          SHA1

          78b8f9f0e33db180c2c07b4655fce9797d723cde

          SHA256

          e29f838a0a344a49700909f698316fc91be81d03583735a0bdd4b98e7c279f3f

          SHA512

          99ddf60da8f5c56c085e929aab4ad40992a1d932f1555c9c062d9eb12c97bfb5d001eefb1be210664f3343b8f8348abfda0ba00e08989451594ab265bbebf614

        • C:\KaVB9V\bodxsys.exe

          Filesize

          2.6MB

          MD5

          000c23ccac4cebefa8fc996a1429cd2e

          SHA1

          1b589c665c35920250418f8e77f262766b7c2536

          SHA256

          d4326a980d59950e4cc40fcf4ea5ca9b2129bbce5bf7d08217dfbf7e8640471f

          SHA512

          83e52b6782fb378a36e90d9015f0168f2f288bff0b06846033c7ecd795fc39794918fa23d3624d8b74dd4cb1a236fb359f5b8b274f12a649bd524d8b3bcf5cff

        • C:\SysDrvW6\devbodloc.exe

          Filesize

          2.6MB

          MD5

          613b48f2f05d06983c5e0b9c5cdc5ada

          SHA1

          f05ec43439058d64c316493be81a57276a073018

          SHA256

          e18a292b6db63e81f49fe9988bfa84e52cab132239153481527dc1f191013842

          SHA512

          32ae452c8251c70bb83be06f31f13ae601617cc129afc7dbc0770fa82f253a650691415b87d525332630f624c3142b635ec53559ff0442e278146d78128c58ce

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          1fbb4821962f32ec9045f1b1943e361e

          SHA1

          a8a2378bea4da80c465305930ebc04a6d21f1ff4

          SHA256

          6882f54ff901f671fa80bd7054b75526fa35f67805ec0a31773d24a73fca01a0

          SHA512

          8ee203c79ed1c4befc81d74890d09a5e3fb87633d2c56e34bb78c4c2c3367e95279713f998f90151367ddf7122f57cb5b6edb708ace1d1da00a25e5fcebdd3f8

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          9dd40a36f71984a5df766ea41a508636

          SHA1

          b3ed8d894dc94965d9905283b2c9e7f1bc9a4505

          SHA256

          7e03e0ffad9ae86be6f8b50b550cd7d5415ff5a19ed041f9f31a0b3755469452

          SHA512

          9b2fe7136a2d0129b91ca1c3247bf8dd3383eab3d410a4bc3fb4d242b2234847490da2f5eef85c9055480e2cec4a3c131e64eb74fd7096365a75e6e88800704e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

          Filesize

          2.6MB

          MD5

          041b65493b4fd1140945ba00c1967a9e

          SHA1

          59026f559eea45e692d768706ba4402e7014c748

          SHA256

          e811a89d28e8c3357db0440182595b86d4aab08918713438344a343a04e9378b

          SHA512

          3e344046394b7f68bee66a8b5d245d16b47a18c5dc1fbf133b233b4ae308e1ba1229dc32ea9d8ec629f57a386209a2dfa74748a403ae2cf0f00050d33147b7b2