Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 23:23

General

  • Target

    74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe

  • Size

    3.1MB

  • MD5

    7dfb1bccca0f224d17a0fdf983b98e3a

  • SHA1

    93e2b24041efc59eab7666c9175a37da463ddcb5

  • SHA256

    74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53

  • SHA512

    41095cdf7c6e69fa75374ab18e089f7718b17da7744d5a3f96a7c49467eec720d795b4506e29e63987c4d288d37bdfbe4082abe2c8110a251ef80f8fc5204d2e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpmbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe
    "C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1932
    • C:\Adobe7Q\devdobsys.exe
      C:\Adobe7Q\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1820

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe7Q\devdobsys.exe

          Filesize

          3.1MB

          MD5

          d6099bcdd4fd8bc82c5ac53fc592b7b0

          SHA1

          44376abe6ebea0dfbb0add994ca5b844334d7d4c

          SHA256

          c1f0ac49956aa45acc447f04047e9a5eb8712b5e7bc44c31d0fc3aa64aad453c

          SHA512

          27c34ff26f45beeb73dea55e72196ed9f93f16cbb1aa66ba2b01400059aac1d0d7f9ad55ce93392ce23c967b9887ffb3602c76cf5cf3f2cb4db8527833572313

        • C:\MintFM\optixloc.exe

          Filesize

          832KB

          MD5

          c61445dc8ac583289054c4286ecbb9d4

          SHA1

          1c9118fbcc8a13772a72a512f2b92c898c7c56ca

          SHA256

          a56a17b6b5fba4f4101335a4a977348e19fb9083b49adacaf739dc392ca38f11

          SHA512

          ac5e8c359b1b021fbf84cf170461fa05c688ff8b62fdd3dcc6854f38bd7ba479064637b9ea26bde4dea18d3bfe4fbc4b9ff531a7a3b3d417364f507e18944e9e

        • C:\MintFM\optixloc.exe

          Filesize

          27KB

          MD5

          5c2d0e289513f715fd6bfd9f0fa85a22

          SHA1

          d850182e707fce4533be9c4ec71d4d7848bbfab4

          SHA256

          a9754ee07943551e68c0115b11675a2278749b1e1410054394fc812158153c17

          SHA512

          18c60db6bbe1e2a74531b1954d514a9f3d39452f018bc3eebc057f93f450f12cdc7658642221a078413003cb4cd0eeb294918bf546765646603b63eeae9bab96

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          0cea97722885739e9d0a903bd4f4e5f5

          SHA1

          6b80934226024773620794e3c5c8cc0260056e83

          SHA256

          b88ff87d33bd0533540b7b2ad9b22c7c7c0b1bd7db309c5bddad4863b3d76797

          SHA512

          50c22cd1f652c0d7c0d92cedffa7cedece4ed3d555cfbb66904802d595b8ad816c82727bc97be180ec49f9c278533301809414716ab57fe0a3b04dcd32adcbea

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          7c33db144ce107a399dca64ac350cc10

          SHA1

          5ca5400384dc42c2f26ba7e38bed05433bc8826c

          SHA256

          ffaba1529810f1da1a72bde119da5705d1ed1df2721d86aa5118fc9c4743260f

          SHA512

          5c073305991c9763fa25e4d47416db4e0173b6bdd76807dfafb8c8fb85e0c24fa5a5c53684eaf646d1ffa13ae15991d0e7f36ab329136626999dfc4f56c55f06

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          3.1MB

          MD5

          a84bf1b8102226d261da6fd19f939f82

          SHA1

          35f2bea16390e82c1eb791f3761c12430f2d9f69

          SHA256

          8f14db6215e5258af5834de0ee3e61699f556e74c4425653cf4ed862d4f5be5c

          SHA512

          1082bb1a4897979f280544be5515a167dd86dd3699217e8f3a83a2a168660ef816dc2ead2a803bc432ae6b3757dc49e005bb20b53262ee896c65878493884b8a