Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:02

General

  • Target

    e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe

  • Size

    2.6MB

  • MD5

    5a24aab9c57efbeeeddf8a3ab6fa1830

  • SHA1

    806fd05f97b00c41e8f22905e1b9eaccf8d75af1

  • SHA256

    e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952

  • SHA512

    841d09a3b7c3d91936b1574dc2264a9b54a0177d949836ea8944e9fa6f31a77df0a32b049aa68919cc7139ceba699f2449d2430d2e582363d7235a52530bf4fd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe
    "C:\Users\Admin\AppData\Local\Temp\e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2876
    • C:\SysDrvZ1\xdobsys.exe
      C:\SysDrvZ1\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintZC\dobasys.exe

    Filesize

    2.6MB

    MD5

    3ec1d1bcdaa42ac4ec33e2b600247ac8

    SHA1

    18ccdf5bdf5f55e8b609ef5cd06dd976fb21df04

    SHA256

    74eb2d8041cb9f14055c30d5a44e0ab0a23bb1641ec38254a870110fe8f45845

    SHA512

    ff60bb65d5353868713ba81b39e78ce5a743534267172123185e94001690c2ef3240adac1b5fd91919cedd99c0b1195410830477382d17cd065549cd9e6404f0

  • C:\MintZC\dobasys.exe

    Filesize

    72KB

    MD5

    459618bcca750b5533666c7585e055b6

    SHA1

    6202619d112878a1bdf8014a2e696dea9752e00f

    SHA256

    957265a8f281496de3480f04bbfb3a1761a968dfa4e3db5c51a5fdbffc90bf9a

    SHA512

    9b436fdfa54f87123149c7209f9dbe92f1c4526c46d1d5a39762e96ef0a37835eb05478e6c37721ec1a1551e738149d352f9e678739621b0179fa5783ad0e1c2

  • C:\SysDrvZ1\xdobsys.exe

    Filesize

    2.6MB

    MD5

    55f6d63e9987bcd3c926b8dcc4071300

    SHA1

    7ed0aefedf0bb37aad40cafcf20df05c0644eb38

    SHA256

    ff8bf0af9d3fa8d8cdb3c8ddaf8aea9848d002b2a98aef3c757d0f70b003b771

    SHA512

    8eed66201ce4ebff2855fde71b0d4c570ae7a818178bbd69c2319dc0b83a3efe106f8e485ef17b3d218265d3740836969aae8d07e07994f35d222fed073c078e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    5aa64fd2bcd08426d7342564b406c46d

    SHA1

    776f7d0b5e710cad5103edf8aec3e7854eb4753a

    SHA256

    55c6d44cb71742b4c11a532f4cdd12a4315be3615fc2093fe095b87f4f382a4c

    SHA512

    6414a25ebf7740921382af07a2a88f38edaded383771766e33d7dc1542042fbe4b55ccc142904d99836174271a041b169e340ea8d992c178ae378d2df680a063

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    d524912ef9d14865f0927af6853ae850

    SHA1

    435bb761aeb273092e26bff9f561ebc491c0fb7a

    SHA256

    13192db81422c7648ba6327779d307f30d245da13deff141aba1407ba7648240

    SHA512

    f1cfc291a59c61d87609a1625a1d6c2278e5953fa4175e3bf78567251fff2d9cdd0ef4bb84ff09c73be7734be4f553ab6ad69429825560e99a2f1303e55b9015

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

    Filesize

    2.6MB

    MD5

    2e5f48597898fe09321d5807dbf8d489

    SHA1

    4ae3772501b51e5b402c29ad77714bfe90d85257

    SHA256

    cc41080cded98cd349fe187241143710a815dbb4803926268cbd17c55a5640e6

    SHA512

    9644314264193b6d0b7ca23cc7b6ad9113dc817eedc33ba1dbb10d1f856dc4e15c7aa6d6a4dd770ee57b74e1c6659ec31dbfd26b35db46136f1b56346f4a563f