Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 20:29

General

  • Target

    2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe

  • Size

    3.0MB

  • MD5

    4727d9b040ee0aa624713fe75d534379

  • SHA1

    037d1af38ad859a82ce3e0a09a31db3822d063e4

  • SHA256

    2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f

  • SHA512

    e73b2a67e39a39f15edd8662fb46dbd3b8ed1d710a398b86f1576038c4a8e266c16c37661c15dff480cfe2079c1431a4624f3096c6db16ed5297e09b8eb92f13

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNX:sxX7QnxrloE5dpUpnbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
    "C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2172
    • C:\FilesHE\xdobsys.exe
      C:\FilesHE\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3068

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesHE\xdobsys.exe

          Filesize

          3.0MB

          MD5

          3cf2aa331d966bbc7e900a4aa0da4eb5

          SHA1

          6060ff46a29f94679c9debc34ba57c1ffb347f8e

          SHA256

          c4eafbe13ffded41e79dc520f215d130a610b1315d055f9d9695c08cb2a01344

          SHA512

          a994f99e3e879769a681263828cc20061448aec55f44774f94090b0c633644addf83f1c5737dfa3e39b2b00b542e82332d71b218064c388803d354ce799b0c10

        • C:\LabZSD\dobxsys.exe

          Filesize

          3.0MB

          MD5

          3ab20eb04bf117d293b2b173b46cf421

          SHA1

          13a279dd3a6f32f3748559331aad834ea5833d29

          SHA256

          c7cd79839d9d579fad658ed96ef2ed26c8ead00bdb5c12a0fa1568500e283c99

          SHA512

          a234a14e4fa93d8e22d21f967213edd4ab658e0dc58041ac8221bbbc47e621c1a8714916598f1a160b565b12644c3b94dc4a775a53d30a4b1280c8504785ce4a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          0e0023155685f24775b075491b8a142c

          SHA1

          0c504c627013fdbb406bb9b3900cd580aa7282f4

          SHA256

          884f606c8d089a07250b090097eaa195d77ae286a8a28192cc2edb85e7338dd1

          SHA512

          860740fb9d0d61f4690f77fbadf15b880000a6ab721c6ea07d6533cb2003c6bc5501deb4ddfa41b92a7a281b9b4651a401db6905226e65e7544f6dc69e2ff845

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          c73491ecb6955ef78e3649e30046eee7

          SHA1

          abd61f8cec8deba33164bd7250e21f2b11d2b991

          SHA256

          c95fe04a2d15fd3b6620f720a2c51cb3a4114372c933921dcedf3915c8f94dc6

          SHA512

          b2056c7c8a37c9d9aafe0767fe7cd0def0ec7a1164ea60a5c11dcf8b3fba40251e71374353d8638f00c404b97ab989108b3b87c629a1355f2b820e5945ee7980

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

          Filesize

          3.0MB

          MD5

          25636731376fccc8b8992e8215b9c823

          SHA1

          e12812761938ebe1ba7db6f3b3f138f969df92f7

          SHA256

          74c9de95453d374e0701e07c6a396ce4f89174d1046c90104fa51e9181721b44

          SHA512

          2f5095cc121fb1b71d9102bdb177443f4067ec7d9b9de865387c388e87db1b6efbbf362302567142389bf9c530b7856366f4d176698b7c8ea05f971216de415d