Analysis

  • max time kernel
    118s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:06

General

  • Target

    60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe

  • Size

    3.6MB

  • MD5

    52e077fa15122034a64c117e7808ce20

  • SHA1

    36097a2e0d084de643126e98ad1f2888b55b61c8

  • SHA256

    60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353

  • SHA512

    1a499fb6d13595813d49c92e5ee09062012f7350f14e44ab2732d740877614db9a2ad2679ecd0c659736ecf45e35e2599c5c939592727e68d03240a2b4896edb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
    "C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2624
    • C:\FilesXI\xbodec.exe
      C:\FilesXI\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesXI\xbodec.exe

    Filesize

    1.2MB

    MD5

    5f64861955603d6f426d7871b3014efa

    SHA1

    5b50761c4d274b41e989dd385d3e03dc6c7bb1f6

    SHA256

    5bcd017eee66a9075353896e1454f2c8e52dc623e506a64b67605e7dd83353e1

    SHA512

    f663429cb98e380a4adf5e354692ed130513e2892f5d842cce29fb3699f09af7fb8823f4fee595913ab2d6cc8f940a4e22c412846bee3579d3532e8881554339

  • C:\MintR5\dobxsys.exe

    Filesize

    72KB

    MD5

    459618bcca750b5533666c7585e055b6

    SHA1

    6202619d112878a1bdf8014a2e696dea9752e00f

    SHA256

    957265a8f281496de3480f04bbfb3a1761a968dfa4e3db5c51a5fdbffc90bf9a

    SHA512

    9b436fdfa54f87123149c7209f9dbe92f1c4526c46d1d5a39762e96ef0a37835eb05478e6c37721ec1a1551e738149d352f9e678739621b0179fa5783ad0e1c2

  • C:\MintR5\dobxsys.exe

    Filesize

    3.6MB

    MD5

    8202402d3c8b3ba301422f3b264c2475

    SHA1

    2a83f3a0ccd947f9074234ecf732582c325270e1

    SHA256

    d5e7d0696af9eda8747989952c1c1a8ef7fd87f9435fce36a6406c18d19f9092

    SHA512

    b937709fe00c0e84081eb24c9da330e9c46e66ecc8f05d81f646d9f25c1b6efe3a8e982f93365bab03558d373f4fc20a21a7b01219039982c939b515096839cc

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    297110f3a0c779f3e2e886d3542f812a

    SHA1

    c4262291444f230e2538926e940aa45b74efc57c

    SHA256

    7ecca22fdfca87967fb99b045d63a94a7737ba2a999e503487f63bd9a64b604e

    SHA512

    bff58642c7d239f50c2f8db4a9747a9ca55dffc389ce2c27eef434ab29bc476482b885532158cd9b10ac9e0c7c91dcbb89aa79c8b201d43ff100a3073ccd47de

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    d6ee1ad2a245fcc7bb05ad5760c16803

    SHA1

    89095f8044528e9ca221a92c9cb3eab4f40c576c

    SHA256

    55f0fd5377b57af12007e226ad1aa40c170a7dea52b7ef0160b06db6f4f2880b

    SHA512

    67124760f06c3b956f8bd03077df5d6b1fe202efd3a17a8cf1da53c9f89e478ae2d9ebbdbbca2c9d5591736f1ebf998948b93abbbf7651940e798b71d000f3a0

  • \FilesXI\xbodec.exe

    Filesize

    3.6MB

    MD5

    1f07df99e0d7862db027647b5ab63a6e

    SHA1

    1f732785a6921f27b9299681711de721ad801235

    SHA256

    c693ade3a462dd193914a1378d0bc636dd7ee76e30cdbf1c6a496096c5dab8e8

    SHA512

    62eac6429609c78f175c60c73eaeab3e514bc6b4c7b9b352e25806f1f4df3a332d603374455bf9fb5febfce8cf8807083e4200061eea56d0e007491ec298b13d

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    3.6MB

    MD5

    f1170ab96ff0d6245a1d78434184d88a

    SHA1

    6b544f906bfd5c5eb675af2ecd04d8b6fd300f3b

    SHA256

    0eab4708b3e9e17a0b2c66c22f8291a4c8151fd1257360d850a3fe8350b19b22

    SHA512

    53429ac5e561b269b098d0c50116e6b3602946bb3331967efb441e75d66d9bd18c355963ce175195bf03863a12b8b80a4711c231bc7e25446d7c8ba92555d199