Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:23

General

  • Target

    bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe

  • Size

    3.6MB

  • MD5

    d4c7e99f9fa1071f60f5e8be949a6554

  • SHA1

    dc7efdfc80aeab13dcfe9052135bd22757defe00

  • SHA256

    bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602

  • SHA512

    1f97cc9c34763dec1b0d7d21873d14e5d561e747f2f2c82ba6bc7eb48e29f3ad2aae88c3c8fc674440fc06c902d64260b815f1bf12eb335d87a794a5574846c1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNXJqI20tK:sxX7QnxrloE5dpUpNbVz8eLFczp

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
    "C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4776
    • C:\SysDrv9U\xbodec.exe
      C:\SysDrv9U\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2424

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintFC\bodaloc.exe

          Filesize

          3.6MB

          MD5

          dfbaddceb6d9bea5c2d9005d5e6de1a0

          SHA1

          2fd996df9f1492c970ffb4930a6241bced11fd67

          SHA256

          fd0a90952f495811310a0cb7d2b93f8323eaf326015003e99811758f84f7b9aa

          SHA512

          282ea69da2ba20b3b34653bc079088b6efc14e73a8f1fb31139803c2164df9a2de8693a0926583cae478bf1faf3283cd1c77692ebd87d68ecbeb43ed1e18064b

        • C:\MintFC\bodaloc.exe

          Filesize

          343KB

          MD5

          84c5440f24c9935959754a01da280aa4

          SHA1

          3ba44e0a60dd46e4a3294239a56a36532bb4d5d1

          SHA256

          a8057b3592266fb7e9ba472aa16a5d8ea22da0306a5a1e3fb4522d4fb86e21eb

          SHA512

          1478eec04d4699f8947610157ecfa53fb1253e1996ee3ecbc77e73468a8073d3ff962863b5453fbd3225a0f5411fc1c748c55805ab326557c289c8c239b498e6

        • C:\SysDrv9U\xbodec.exe

          Filesize

          3.0MB

          MD5

          ff40983d88efa695db0f234024d647b5

          SHA1

          c5fb7e015f16f5f33d2c7ccd3698a0450a61ff84

          SHA256

          d561fa4d132969c5eb40bec150a40103354f4173b28f03ec01c2ed7c1c7586e0

          SHA512

          4379b7761e2b6a532383486cf070b520513805448a3dede8b9e90cefafb958814dffb4a094f86ed241694d51f966ab41d36184c11e3673ac70ce7a7975374dd2

        • C:\SysDrv9U\xbodec.exe

          Filesize

          3.6MB

          MD5

          bc17c5baa4a7dc876f8e69813267210c

          SHA1

          de070610ff6bc102dcf8fab9ff8fa9301a058202

          SHA256

          9d2c3654f55eb33f3e75591698e15659eec0c3cf63415032768a850947f10abc

          SHA512

          fdcd27017ef8563800b9ecabd52967ed0cd42afb84f7c5000460428b2ed4f6921e7a099752b8d84034ecbd12b224accbd9a6b99100a0d1f736ab788b20bb4a17

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          563da3a064bfcadda4f764d72341e523

          SHA1

          2b70dc1588fc232d9bdeebd3cc91d19c189db247

          SHA256

          e988c8e3a54ad58b29ad739eba70f20073f9407f7128e37edbccbda9940deafa

          SHA512

          e9cd024ed8670387d5402afb786fbb56027edde89ba50b7562041e5535a830ecb76d18efc52e13732552c0716588eeec88853f7e45d0b38019ac3801a79640eb

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          f555c5c330cb2d6cf9ffc9b3f8ffec5f

          SHA1

          f2b7478e93291976cd6620e45ab08bb30f88684f

          SHA256

          c804143a41668eda4815e27aebbf60cfdd2c57892d37fed4dbdff1e111d75bef

          SHA512

          73169e479780233eca1398889ed860b55807106ddd7ce14bb653de2faf54279049f16f699d58e1c72602626f4624eb57fee50aaaf1694b7c03ce4df824126787

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          3.6MB

          MD5

          30dbc8db6259acf35250033b11f52ca3

          SHA1

          66e97d0edaa0718c102f9594493bef916fe46505

          SHA256

          439534e953dcaf6481456b74c38570c78e30dc3cc5e624a690b5fe946da05dba

          SHA512

          3bd35236a31446075cbb961f8271f5eb7f0c962ee04173697fd63b830a21a0472509acfbddc839d8bfc90b15f2db5822b2c37ef49d934881425ae6de4d825c33