Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:12

General

  • Target

    47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe

  • Size

    2.6MB

  • MD5

    cd24d042147b423f240b3eea6c3b1000

  • SHA1

    bbd5ad7d83dad70b59a617ce1f1f3b19b26bd158

  • SHA256

    47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8e

  • SHA512

    ef89a132e2acb36832f5457138462a5335bc593a569f47a42e1d30ed899b0c457084a5137a54b225e89ac0dc00744c138735bc4810bff289057482dbb5580fc7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bS:sxX7QnxrloE5dpUpGb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
    "C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2892
    • C:\SysDrvKU\xdobec.exe
      C:\SysDrvKU\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvKU\xdobec.exe

    Filesize

    2.6MB

    MD5

    f354c90d13c5771116e6eae9b6773cef

    SHA1

    4ff0328237d9c70166c553733d4a745f50c0b1f9

    SHA256

    e75092304936f5f5119797bc488584271fec55c0013cdeb843c4ab8011ae509b

    SHA512

    c7a01ab96e7bcb741012fc0dc4bb95306697b5811e9f1eaf608dd0b4dd524a88b0e32ce0daeef255d19bbd5496f651c9afd3ea1d17d870a1e1c8b29dd065ca74

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    444b53393ec484f9299586380adaf341

    SHA1

    7b9cdb33449bb0bf4386d1f4c3e6ef2bafe43629

    SHA256

    4b07dd48024a08d91d55318e0b155f265150ac47e2cd499b5affe6390d1553b2

    SHA512

    6addd054a24f7f65221e6190d90e74dd078be7ca3044a1b63045c4d524667426d8e7d75128d8a629ec54cd0fde19f2ff65affdd0f925d1f4539851b1c1370247

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    626ec70894a0e08b876498e18d0007d7

    SHA1

    316a8346f536033bbd125b076ed2135a08ba7e51

    SHA256

    c4bab531472123ba89f5433200ec26e427c9b16e575ff99416134f642c4ecfe9

    SHA512

    0566bb2ebc63fbe53f8e2c625e1c5731e2a008b337ac2a04a0b3f3b1e6653b7bd9948494e9d061e779918e7f02670fc07db29c1444d20a46539b2cb72bfa5954

  • C:\VidWO\dobxloc.exe

    Filesize

    2.6MB

    MD5

    3f2c76966604f5dd358a2f7ac3eb3f2d

    SHA1

    085ae1be6b3d506afa6b7628ff6161176b78969f

    SHA256

    3a28cf788c9dfa9706cac854f086ba9313be573e97f752c2421fbba8f30a865a

    SHA512

    0b5fda44de88e7740c9cf80dce017bfefa6712a04f966329151079fc31688f8d505f96038a4343b4d7307c5cf44eefbfe8c496d0ca951d37d370d940c459030d

  • C:\VidWO\dobxloc.exe

    Filesize

    2.6MB

    MD5

    5bece01e4d4e4cf1e5776fa34be2b9b0

    SHA1

    37a8ecb925a42eaec6a36d8cc9238047748e8a6f

    SHA256

    742ecd60d83c105e7799cd8a85eeb91c7384a746892cb792c138d62570d46df8

    SHA512

    442831384a66f81639e8c7646c76a6988b7e0e5eea1074c20e2e32fc5a47cff9e6b402bcc712d0bf14eaa2441acdb26bfd18cf5b9f2376fb4427b5156ccc2c9a

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    b060d3ac8740cacac528b60fafc8d9ef

    SHA1

    b8193628fc99bf6e703a65c2ab7c59b8322c7b66

    SHA256

    bde89ce0447790a6f413a144b5c910445c840be0fde9dd2ab00aa4289b9cd4f8

    SHA512

    0bf4c934a1bb5aec72b2f9535742c9556cbe5f4ecbc4555db634b96b236a03c6a5d08ae142d97ce45be5795164b744648fae21b26bef1f388b805f6a8b266929