Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:22

General

  • Target

    f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe

  • Size

    2.6MB

  • MD5

    41900496309d72e11d5af391a8b889b0

  • SHA1

    4bf4222d730078646fb1fc6293836e7d9673ed9e

  • SHA256

    f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4ef

  • SHA512

    0eeb36e21ab7af47c471a9cc1bcbd182143763048527020f55ed5d35460b512fb4202b3c751dd3849cdd1b56400d3dde280ee22ceec1ed6cac4509b4d51a51b5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSq:sxX7QnxrloE5dpUpjbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
    "C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2868
    • C:\UserDotAX\xdobec.exe
      C:\UserDotAX\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1040

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZD3\dobxloc.exe

          Filesize

          2.6MB

          MD5

          ee6a56762852aecd2d6e1b8c3f388bef

          SHA1

          335046e007df26e7353ae96f26098a32fd3a96b8

          SHA256

          e0130f358a9156ba8374f79119db8a7d50e70de9cf2e0ce46b96497691fb90f8

          SHA512

          f7ffe6edcd47ca077547e9185338167d961ca85a75f79889325a528121f97f9725f4eaf0bb393d7185d5a9974ed18abc0f314154449fbd3e48b2f9ac9e3cf694

        • C:\LabZD3\dobxloc.exe

          Filesize

          2.6MB

          MD5

          bbb0c6c7a6c67897de19645899e1f24c

          SHA1

          d88cb22274569cf1d91dd90377b9e3ff0847e30b

          SHA256

          b799981257aea423acc7a25c2eee236218ef9fd5e8599ad8d53843fa9ad52e2e

          SHA512

          0f34cbdcaab51355fca0a07866b575ae80554a1722f5e31dd3d2ab6b07f43295850fdb90efbcea49b02a905362b5fba2b3917258e6c0a51ffc5ce3a08873c249

        • C:\UserDotAX\xdobec.exe

          Filesize

          2.6MB

          MD5

          3d90dcd573832f834e485ff6865a03cb

          SHA1

          ab602a63d65db68732311774422786b8296af452

          SHA256

          54ce01ed7606e61f5d82a98f1e68ca8fb797c8abd983c0ea6d72404e9dd7b749

          SHA512

          d4f3ba7eabcc96ca86f5c38ca5fc145eaa085e50a297ed0c3b23f28ad7900e8b737a74bb0de86235db0769ee1ab214fde218d39a376853c076b96ca648e4dc4b

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          bda33358b509794634c212f541471029

          SHA1

          a52975d24e201266f1e386416d349e93fdef1a10

          SHA256

          5297b3245b821085c0e9d1618002d5e2cbc939c5a87f8804d1ec7af70b850306

          SHA512

          d9d974aa57cc97bf2f7d4cbe1514911440aa785bae15e83f594fd44320dc7a37c3cf47788d499cd1dcf33ad8ae3475229d468c8adaf5eb18021615e4e47e2703

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          a2f18086ca5853c9103494318563810d

          SHA1

          3dcad6388185cea472201aaac88f0c6fb2f48898

          SHA256

          a6dfa849764a256889dfd14cd39099081bd1fb1ad806bdc8b80ade38257762db

          SHA512

          8a372804e4637d04ce283b1b79f38eda7bdaab715da5e8a68b53e40a2a1fb50e7d6b7b34157a959f7819421f2d2a36bb7b4f6483336a903632743028cab17c09

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          2.6MB

          MD5

          effb5f2b1ebc23df7eefa1857f06e30b

          SHA1

          4fcc32dd3c93dd2c6f6b87dae6b65ba64ece4ae6

          SHA256

          49219336c8318e0671610f08849948b291108e65afcce282d76d71a926ad46f9

          SHA512

          bed6221eaa1bb658b0ec6db6e145e0da981e522483e8f484effa85184e01cea3b9a780503f4ace865806ddddd6599a36def7ed90c0cc021460f681b499ec5d43