Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 00:51

General

  • Target

    9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe

  • Size

    3.9MB

  • MD5

    5960c9baf8b550d272ffb4560d83213b

  • SHA1

    927608f67a071cb85586d5693c7e4f84532794aa

  • SHA256

    9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11

  • SHA512

    a647936bf55c7c7116d6deffcf5ce0ba8ee89fdb57e5ea85456b95d915ead7419dd4356d7d1a3f26deceeae13ee97ae2bd0dbf51766cae1ab0271eab2ec190a2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpPbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
    "C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2012
    • C:\FilesU4\xdobloc.exe
      C:\FilesU4\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesU4\xdobloc.exe

    Filesize

    826KB

    MD5

    c8bd6d33faf7f68452dffc3f6fde33cc

    SHA1

    510eca8974bc02b8344e1b5becb02d798ad77cbd

    SHA256

    6b98263146257b38aad02e2bf5155d30ae4033013db9ca77a526efea76cec6e2

    SHA512

    a99f5c5915e5f73adf17d7dbeef963f151edd108e43933d4ee047fe0d57faf291f0a5f2e830a42c1584a422fd930a80897bf670d7fd560cdfc4c72d17f9154c4

  • C:\FilesU4\xdobloc.exe

    Filesize

    3.9MB

    MD5

    0e245105ac0501e80567149253e984fe

    SHA1

    31ee67f48a4965f8075daccff9a354f969936d58

    SHA256

    cde8aa2a5e0ad12dbe656d1c14c6341bc86282c49e7b38fa89aae29c6934afc4

    SHA512

    2419055a734ef4a1f7e9fb643d5af555e9e24ddf9b680fcae6dd15d1f1b040e8c219ac561050a80384e7475c25a0faa60f9a4da0d8d20b7a3fa0a1816a0e9e9e

  • C:\KaVBUR\dobasys.exe

    Filesize

    3.9MB

    MD5

    711a9ed78b1403054c666c46cddda14f

    SHA1

    9d9ff8e0a6ded142404eb9a13d40af602e9772b4

    SHA256

    a5133ca0e8d0b16f5afe99246273d4bf1b5b4cd1ed1595978cc5244e98368210

    SHA512

    da9c958e93bc384cadc271ed624dfbe94223e2c02ba893decbec60a1d3ddc577de605575bd7426210ecdb6ab3bec02aa5f215120ff98a765680555f840a6d6ce

  • C:\KaVBUR\dobasys.exe

    Filesize

    3.9MB

    MD5

    165af7408aefd6680877863a8854344e

    SHA1

    3d071df64142a7db8e87614445574c6f35d3e680

    SHA256

    5e17fcf0ccfdc324eea924d8d8fbe1dc963a49097de3e6b060691aaee9ec38d6

    SHA512

    ffbedccf3589ea0dfec03532f88334cab3dd7a038f5b3271e53e9cd58d89327d3ece721cba8020835d760537f298f31e0cefb1413ec1a9b1f45ef1d5aa07b3d3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    956feaa236c588376be57a9bfb7f9b97

    SHA1

    b5926b66a708713f7d0c27f64ec1fc1b738a7d86

    SHA256

    d4c95d16f886c5e7da4c460cf12dad3a919ef147bdc07fe20311fcea17e7e06d

    SHA512

    7240dc6d331fce0eadd94e9c166911a664c3450c39a380bd1a2fd519b6606388e6a07566bad36d0880476d819062267c8ef75f7e124a109a9d4c647080b7c385

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    7dcb7586f0a7d5b3d31868358ff623d8

    SHA1

    1393dfa31c3c3ad43ba01cfbb4461bf128dc27d8

    SHA256

    08b99d4b5b8e81e6fd5b6fa98cf2bb0fdfd0bb598d422e4f79f36af61ccfb760

    SHA512

    7bdd865d541ed67271cccab71c502a319b7254492f2c240fa971889478b2c10cbacd2a3ceff23f9254926b81b6654ff35750922c80126cd8597ab02ddff5a95b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    3.9MB

    MD5

    62773fd311d66b5105b4310d7566920e

    SHA1

    98bdd5633ea52424099b74353f3082ea495a1d91

    SHA256

    aaa2e2888adc895bdf5ac5cd209715e99ff05b4589ec4d008c69e931a7736993

    SHA512

    330c1d99e18ff52da317da25844db2378ff1527f14ec17f595312a0bcd0dd5b175d27e03a95a637c23a857298fb5aab7ad75878e89fcfa3bd26d439fccb3a24e