Analysis

  • max time kernel
    119s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 13:43

General

  • Target

    54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe

  • Size

    4.0MB

  • MD5

    14be2a9e768c5f9b271bb6e12c719800

  • SHA1

    296d5bd1976aa5a7c4171a877fb03a99ee7b0c82

  • SHA256

    54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904

  • SHA512

    c43f39c3c8aa961f320f4d47d3b42afeb81e5eebab7f29730f919ef354fa474cc46ed5b854816d0731cb6118027370efdcf6e4cb487218229ac953cda1ac3468

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
    "C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2220
    • C:\Files1O\aoptiec.exe
      C:\Files1O\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2360

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files1O\aoptiec.exe

          Filesize

          93KB

          MD5

          b5c0de4a0aeb209ef138246a7fb84861

          SHA1

          d1d8776f857ca62f150a0ff55e52436c1f0d285e

          SHA256

          53a2e937a09f39809cf6cc39c9c16b6f04c72a56da860d85c5682e9c42221093

          SHA512

          8238641d9edf8d17ca4b133742898b11a31eaac6d0c14fb8b9bcd281980e0e91d247b5a07b0fdbf51312d51d7595a1ea2edc4a7e6a4ec65cbc9474b4dfd896c7

        • C:\Files1O\aoptiec.exe

          Filesize

          4.0MB

          MD5

          70080309d1cf5ac0817d1e56e38026c7

          SHA1

          654a44a7013bc0d8fd46ff568a71ef2c4fb51eff

          SHA256

          8bef7198499be009425b3d9ad2237710a000d8b7ace1bd48a2af941a9a955a3d

          SHA512

          1c53b8097b2791b2080d8992107ebb082cc56ab4b5bb599beb1d790a10de18dbf2eec1ecdc861650d4fdecc4a58f7ab9ffc0617fd85164721a652d0ce05b63b1

        • C:\Mint4Z\bodaloc.exe

          Filesize

          1.6MB

          MD5

          afc3f238d7b77db08bff177f42f0da56

          SHA1

          23638de8b5081d205a77e7617bd11cf26b7e8a02

          SHA256

          a2eef49fb4aec5ddfea8f1deb57fb39e92cb83e7b2a26bd182136fe8b2a6f2b7

          SHA512

          114aecd61e401401ab3b26b18a49bf3b6f44d09f0f8bb0f71ed7461a3bbcaf5454c8dfcb6cecca433a55bb473249ab52b202c8e566e99710104f992b12554ccd

        • C:\Mint4Z\bodaloc.exe

          Filesize

          167KB

          MD5

          f723fd14245742bc54fdaa5ce3177ac0

          SHA1

          dfce84126d809b47ae87ce723b290779380ba5f9

          SHA256

          5a0b3e5642da5a6f5dddc996ae2d7c8f11cba9debb86835c041953f7ebc2fc65

          SHA512

          e08e6388a8b777cd03ce50af18489246b563f5b70af24c693decc03b7f1ad43e8b007b1758b9fb65136d2a452575a052a91461bfd72555122174f54a5f072bc6

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          f80bf74803b3472042ef15449cf19068

          SHA1

          32fb8b8ed1756a7ab77eba0f6ba55d80c1ea9a92

          SHA256

          efa278446cd18a84941935b346039a335be87dd7284967c198c04681341de8c9

          SHA512

          d42aa2907526736a0e31da396305be6f9d9a3d7af6ee5520a5dbe3ee334835a4060acb93e6dbea28068078bcf46e67942a14be9b2249aa6e3e8a88c7650dcf70

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          897f766a5006fc1352b43b59c1ab728c

          SHA1

          7a74164c36f6d737be9f12fa1337c662dbf9365e

          SHA256

          0a27024f7a752d2e34ad29702cd1bf7968c812da002cde7081fd4feb2b60866a

          SHA512

          d5a38282be6dfef77894c372dc17b9b0c719d6738edc6e25ab2025fd3677ef82f94a54b42a417c8ca9dd5978355807d0c5eccb22b014133991208611e8ec440d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          4.0MB

          MD5

          00e6a9e7a3a8b9b41abe44c13d1a4085

          SHA1

          746f03f63a0833b3437016fe8645b6cb66a91cd2

          SHA256

          325966b84cdbaf8e73b2fc03fbbbef64fac8902f8c00d02e7e5f62aa4ec2a93f

          SHA512

          966ea7cdee1778796e808f5654383c05c9058aa0426c0cc7342271ff742420c2d30f7a8f367d05067752490511f3f3ee8fdc01e13833ac9cf3ec756508e098c2