Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
Resource
win10v2004-20241007-en
General
-
Target
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
-
Size
2.6MB
-
MD5
41900496309d72e11d5af391a8b889b0
-
SHA1
4bf4222d730078646fb1fc6293836e7d9673ed9e
-
SHA256
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4ef
-
SHA512
0eeb36e21ab7af47c471a9cc1bcbd182143763048527020f55ed5d35460b512fb4202b3c751dd3849cdd1b56400d3dde280ee22ceec1ed6cac4509b4d51a51b5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSq:sxX7QnxrloE5dpUpjbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe -
Executes dropped EXE 2 IoCs
pid Process 2868 sysxdob.exe 1040 xdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAX\\xdobec.exe" f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZD3\\dobxloc.exe" f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe 2868 sysxdob.exe 1040 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2868 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 31 PID 2704 wrote to memory of 2868 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 31 PID 2704 wrote to memory of 2868 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 31 PID 2704 wrote to memory of 2868 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 31 PID 2704 wrote to memory of 1040 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 32 PID 2704 wrote to memory of 1040 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 32 PID 2704 wrote to memory of 1040 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 32 PID 2704 wrote to memory of 1040 2704 f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe"C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\UserDotAX\xdobec.exeC:\UserDotAX\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ee6a56762852aecd2d6e1b8c3f388bef
SHA1335046e007df26e7353ae96f26098a32fd3a96b8
SHA256e0130f358a9156ba8374f79119db8a7d50e70de9cf2e0ce46b96497691fb90f8
SHA512f7ffe6edcd47ca077547e9185338167d961ca85a75f79889325a528121f97f9725f4eaf0bb393d7185d5a9974ed18abc0f314154449fbd3e48b2f9ac9e3cf694
-
Filesize
2.6MB
MD5bbb0c6c7a6c67897de19645899e1f24c
SHA1d88cb22274569cf1d91dd90377b9e3ff0847e30b
SHA256b799981257aea423acc7a25c2eee236218ef9fd5e8599ad8d53843fa9ad52e2e
SHA5120f34cbdcaab51355fca0a07866b575ae80554a1722f5e31dd3d2ab6b07f43295850fdb90efbcea49b02a905362b5fba2b3917258e6c0a51ffc5ce3a08873c249
-
Filesize
2.6MB
MD53d90dcd573832f834e485ff6865a03cb
SHA1ab602a63d65db68732311774422786b8296af452
SHA25654ce01ed7606e61f5d82a98f1e68ca8fb797c8abd983c0ea6d72404e9dd7b749
SHA512d4f3ba7eabcc96ca86f5c38ca5fc145eaa085e50a297ed0c3b23f28ad7900e8b737a74bb0de86235db0769ee1ab214fde218d39a376853c076b96ca648e4dc4b
-
Filesize
169B
MD5bda33358b509794634c212f541471029
SHA1a52975d24e201266f1e386416d349e93fdef1a10
SHA2565297b3245b821085c0e9d1618002d5e2cbc939c5a87f8804d1ec7af70b850306
SHA512d9d974aa57cc97bf2f7d4cbe1514911440aa785bae15e83f594fd44320dc7a37c3cf47788d499cd1dcf33ad8ae3475229d468c8adaf5eb18021615e4e47e2703
-
Filesize
201B
MD5a2f18086ca5853c9103494318563810d
SHA13dcad6388185cea472201aaac88f0c6fb2f48898
SHA256a6dfa849764a256889dfd14cd39099081bd1fb1ad806bdc8b80ade38257762db
SHA5128a372804e4637d04ce283b1b79f38eda7bdaab715da5e8a68b53e40a2a1fb50e7d6b7b34157a959f7819421f2d2a36bb7b4f6483336a903632743028cab17c09
-
Filesize
2.6MB
MD5effb5f2b1ebc23df7eefa1857f06e30b
SHA14fcc32dd3c93dd2c6f6b87dae6b65ba64ece4ae6
SHA25649219336c8318e0671610f08849948b291108e65afcce282d76d71a926ad46f9
SHA512bed6221eaa1bb658b0ec6db6e145e0da981e522483e8f484effa85184e01cea3b9a780503f4ace865806ddddd6599a36def7ed90c0cc021460f681b499ec5d43