Overview

overview

9

Static

static

3

8a54b37b52...53.exe

windows7-x64

9

8a54b37b52...53.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 23:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a54b37b52b2157d9b4db54ee42eb1c16c1bfcbe13ad4e1324d5dd8a4b602c53.exe

  • Size

    3.2MB

  • MD5

    b2aa23a9d63c0e21ca40ee9319acd429

  • SHA1

    e27c188fb31b18e217b3bdedc294cb90eec39c62

  • SHA256

    8a54b37b52b2157d9b4db54ee42eb1c16c1bfcbe13ad4e1324d5dd8a4b602c53

  • SHA512

    8271d9d5899a015b08c2d887cce8fd7a15a1f494ea2b55d345982bb1be5f64c229e3fb098889abfb431466ab93a7d5ac5d01c087efac61080b22dd48da3150fb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUplbVz8eLFcz

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a54b37b52b2157d9b4db54ee42eb1c16c1bfcbe13ad4e1324d5dd8a4b602c53.exe
    "C:\Users\Admin\AppData\Local\Temp\8a54b37b52b2157d9b4db54ee42eb1c16c1bfcbe13ad4e1324d5dd8a4b602c53.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2812
    • C:\Files6S\xoptisys.exe
      C:\Files6S\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files6S\xoptisys.exe
    Filesize

    3.2MB

    MD5

    810bb2976dffbeb4eb15f1e6a7e9977b

    SHA1

    d10654c70fa11c7e2a03baff4de91ce1b179d43a

    SHA256

    73d81188ee8a7d27965900fe9894175f05fdd662cd7d466d0dd047fdc1605f9e

    SHA512

    5fcee04e4ac2855c582ddd913ea3713af371d4bef180f2c8ac97583024fd5b64079c15308b38870dbf6718a19f87359d35f783c62caed629226001d7d06b74dd

    Download Submit

  • C:\KaVBOF\dobdevloc.exe
    Filesize

    1.7MB

    MD5

    f2bc771d06e8c591526d7a2e8ff60a85

    SHA1

    0d050e5b6c34d5c4e5aa2b4eb42e9ae5105d9082

    SHA256

    715a42eaaa563870a1bd7a05cd71d2d771f919e5a611754dccc5a0a8689bbdd2

    SHA512

    2beebb1dbab85383379dc224b16b26a0dc3def4dfb46b9999db79b363fa39cd9663cf1c3eae3bb487748303f28e831c9d336c2f40763431875c52dbcfb7f3f3a

    Download Submit

  • C:\KaVBOF\dobdevloc.exe
    Filesize

    3.2MB

    MD5

    0badb3c8076a6cf03b3ba04674147977

    SHA1

    1d06f8fecb1c8ce1453ad37e1e5f2f3f0eb52399

    SHA256

    51720286c4bc465dc8feddbd3a671c2fa68d957e9efaba8b5d667253052c2cad

    SHA512

    154c1eeb7b1b3de78d0dcd183b2462bd68c18145d8486d1373cc2536a3faba7a65f3f3fee9d19454852bba00f5c4c69cb8d993fb225ff9a07e993644fef62605

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    173B

    MD5

    73354dd895bea906a16df6f3b98b674d

    SHA1

    687f14d3c356a322e64f0494b3bf7d0e66b51db8

    SHA256

    68c3a1eee56325ed223cf93212caba6bc7e00f7d2e516ed7c3f2278b55dc6204

    SHA512

    1d2e4051e27ffdf7e5a1d8f06e93021e56bd0d690e56fa4d3ca776b0423625e1d2725ec30d86d24a14b18c300836473ed651249f50ca450c5b014ae259e713bc

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    205B

    MD5

    b39b26e9e5e692516f6923674c0662a8

    SHA1

    a1891207c27fa289e786acbae2ceb1c467cc4431

    SHA256

    4ece88c9d2550e05818e5b45d8eed426e8104554ce0326e12f4e3a67040f25db

    SHA512

    2e3b3c1ca568455ed8a6acaf47aa2a79be069956541313f9d1f160255f5c4fd30a3b99cb2cca6800a17e2db2e978fe1859ccb1fb7a6c2c0c61313ef938b720a3

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
    Filesize

    3.2MB

    MD5

    d8dfc0cb7e695c5a5ca8b329977a3433

    SHA1

    080cda28332b53a1d95528db6259fae3d3d85563

    SHA256

    32f0f21e6fd4bbb87c75f53c8c436d0e290e46f96ccf8f20a367c4e94d95998e

    SHA512

    5c8eb517d688de194f77c9d72e20a38eb40a57f5ac5486154a22761d0337999c6ebad1193126b34a3ad946d0083f30ae0fc279dcf738aeafea5fc7e04393918a

    Download Submit