Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 21:09

General

  • Target

    352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

  • Size

    3.1MB

  • MD5

    7326e2cc8b19595770965d72e1041325

  • SHA1

    e1758cbd4eea1c45ef714d1c0651abe27d91fe93

  • SHA256

    352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c

  • SHA512

    a94365d8c26f6042c75f9fe0eb7945509ef6d5f2fc3f7e5252678efb3bb1fc2dc1efeaaa007e849c279703f66074c08a63686e96c780a35287ebbb2c4fd92236

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
    "C:\Users\Admin\AppData\Local\Temp\352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3000
    • C:\IntelprocQQ\xdobsys.exe
      C:\IntelprocQQ\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax0Q\dobaloc.exe

    Filesize

    2.8MB

    MD5

    4a3a3a621376877e555eddc5b97e706d

    SHA1

    0a5f8c0c688510d3b84c3ac0dc8d76cd00f262ce

    SHA256

    e59c0139a9dfda4fd6af210ff09d93596766c1044836805c30f50176bc60f71b

    SHA512

    c1dea18b7a6cf3941783835c7c46c43862d4254ac7dee6816f8d9bdf0cf9a23047944eae95724d70a93a8e66d6f4eb8ed09fe9885360a74ab59d41370ca9a9e9

  • C:\Galax0Q\dobaloc.exe

    Filesize

    3.1MB

    MD5

    51cad8754747b58e6770ef2f937b6073

    SHA1

    3728ea1c02af51dfe6abeb24f24a28930f99a8c1

    SHA256

    0c88a30896a1b8237772068ffdd5efa395ddb8799d85bb73c3741eb66ec55269

    SHA512

    2538d17ad4ccc41fc8f953b8d855e6b7dc3643a94bcea1c7fb05693e12f54012043180521739917b3f828c98125a62faac9450b3ceb4607c512402f22ebe7252

  • C:\IntelprocQQ\xdobsys.exe

    Filesize

    3.1MB

    MD5

    38327cc4f5737445b621e278bb59fd7d

    SHA1

    45784d63a822bc071674e3864ebc6f2b5c0fb5ad

    SHA256

    3e31896d6fad8b0a80a4c15a0b93fb782c7250195a144c42ef2febaa05ee6c9f

    SHA512

    3f07b0a98b9687dbdb531753c239af3cbfa83b2e2e07af835a598560f1de4446f05b1145077a82471ddcb86de37225d6e5ca776ccd5bbc3d03712a9398d58d5d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    e5b9b3e2a1ce57f949596d80bfb7fcfd

    SHA1

    14c57ee8ac739fc196894a17c8e41596636c1079

    SHA256

    9776d32b84b009045c898124997d8b4d2c1e1bf7ce5979ea4ff42fff095e24f0

    SHA512

    f76b2010c6358879e243412e20a75efce5bd4b97052d8d9ca2eda94835a1ed28574bc1dd2c4238f165513e05759cb1009f52daa2e0cf20cdd3e9002c5dff4cf9

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    af9387996df1527ae72349008f76a98a

    SHA1

    e07e2fe38e2d82aa81a238244155c286c122b7ba

    SHA256

    fb4a3adeb7744ebb952d3f4bf5a263ede5abe2dfb68e62ea13115df9a98aec89

    SHA512

    77c5d82a34b98f82f77627cbe6520987a66e01a47bf22671605f0bd09c6862d5aa6d084ad0e4a22a26883546f4c324c1e85e66fbd5357897b960570aecc5c50a

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    3.1MB

    MD5

    11456bd2463e4f19a8f6e659da57690f

    SHA1

    a0f746b9f45b4a3dcbbcb49cb71d9c2662476734

    SHA256

    dd1ca18f4c7b8142747a28887af8df458b5ce494171fbac2ced5028c9ad623e9

    SHA512

    145870e7d3f8d44c21553dfe136189f23361ee73219072ff854ccaf82a587f585725cc5c8616e3f4383211b361c1ab9708f7c8d5170921394ec3bafaf213eb14