Analysis

  • max time kernel
    120s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:33

General

  • Target

    5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe

  • Size

    2.6MB

  • MD5

    d86b96177072ea29abf7b9a1e2262ac0

  • SHA1

    6f6bb2c8e29626d911b176b1fb4e85892a1a649a

  • SHA256

    5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144

  • SHA512

    4e7b946f7a43aaa0a339158b60a018d56c90e43f2e4e38011614d9414140bbba040afa4b144f063818e44dbb7783d4c0d15b19043acc7d4dcefa3c28be8b603d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
    "C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4560
    • C:\SysDrvOD\devbodloc.exe
      C:\SysDrvOD\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintQP\dobxloc.exe

    Filesize

    1.2MB

    MD5

    51387bf65f6ab52367768502a2735d4f

    SHA1

    adcba95f62ed11a127237a38267dbea37b262242

    SHA256

    95db967c76a97f220ac69083da8205dc232cb635dad141b4ce7b59ba2778182e

    SHA512

    62a1c5440a88ccdf2a2a912e0f4b677e0b1955ff22222c62664b5a0e8a9fd5c8061bdd404a9e2058552da4a379d8195ff64f4c9a39b1c38daaaf8612096b6297

  • C:\MintQP\dobxloc.exe

    Filesize

    2.6MB

    MD5

    24dc13826c530ac0888279383f79b0c1

    SHA1

    61ff8bca4a6d4377909f834d6c08794b2cd97714

    SHA256

    deaffb93caa56c5cbc8a25db30ca4f25c2b9210ebb3d4f9a5a5a8d10c8a0b8c2

    SHA512

    1d55b571fcf3164e649ce39c94e454b4c86b730200c2eaa833e9c4cf408e109d7663dddfc59d522a0b367ae9534a74b0f0f6bf1a49c03605c338c99cfa0f7f43

  • C:\SysDrvOD\devbodloc.exe

    Filesize

    2.6MB

    MD5

    20308f981abfb0240a5e3bfb669a9f9f

    SHA1

    7201f6e2309e7810fdb7c21ea645c61b25a48dbc

    SHA256

    6541d343db7f4aae2c82fad180636049ae91db631a5eb89e9467ab68abc5c509

    SHA512

    45403482a0e7ee6b3343caa00204a78951d67dc73c9b26e695ceb1930432d90e6ca9a9a516fcdd8098a799f26d9c3c0947d666459f7ea75b1d5846f9c7d77f8c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    7a2334baff1868589c96153d688e0be2

    SHA1

    cb8e97cf1f85af906bda9ec0bb191310b2e9831a

    SHA256

    5d89eb9289c37126b762141419094fba4e0fb3f81a4119deb0ecea02851d9d40

    SHA512

    299cf6949aa376a8eac9b416d994471452adfb22e05221e6ec82d0bdf0e111a22972b701228c2cbc4aeb6292b31b57b7fc3c4900d86a60b55f40aab5c94bc7be

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    cfc7c59211d600233ced407dc5c6cd0e

    SHA1

    d50b0660d9ce00a29cd99c2f6521661c6ba753f8

    SHA256

    e2e343e40e621fd850c052ed5fa2d51287ec6f290e59cc3bedf0fcf340b07c98

    SHA512

    5aef83c1c9ec77c0505321f6947f08abffc319b5afd4c562179780fdcac9e9449a1850a6531b7b2b272af2a516943a0d81c334fa7d628835c1598824e033d1d7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    2.6MB

    MD5

    ba8988d43e73030e8e207ae54f4ebf1f

    SHA1

    85a49edb87c702245d24ba31aa9c684401aca628

    SHA256

    48e791e7bfb78b8d65aeef7389adaa5d8d89d4ad42f1bcf70c16c2953700ff4c

    SHA512

    4601eae783a6b2d9ed7ecb4db58f885615185449fb71b8ed16d7ddb09f862ed6e8f8941a724eae71562eaafac6b7dd7316c32d62e6f36dc849d6298d37c45a2e