Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:23

General

  • Target

    1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe

  • Size

    2.6MB

  • MD5

    c0f890c9b99201af39fd56f688b7d8e0

  • SHA1

    6ca6f2ad3d375789f061c2f78aead750025bb599

  • SHA256

    1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5

  • SHA512

    27e12397a0946219f60256774774a5aab5309935a717439a6a1eae1b6c68a1ac4272178cda5d8548298fa0cc22e58adefb36ffa78d58a1f318d0d9d17f697c3c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSq:sxX7QnxrloE5dpUpBbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
    "C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1648
    • C:\UserDotP0\xbodloc.exe
      C:\UserDotP0\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2120

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint7A\dobxloc.exe

          Filesize

          2.6MB

          MD5

          f6e6640385e0242574961e8c5ccf9858

          SHA1

          e2049f891c5b94978642f1dfbd4ef8563c32adbe

          SHA256

          6f76309341b25f9b19899bbcda50fa98f5c35c3cd9613d148e7b3f49e27d5c24

          SHA512

          2d9929dd08d23a64a9ac3bddfe66c308854b956dda52538647c3be917e23ce035ed3055c1403a7f0afd6e307cc25924a5792169c22f92705525d114ffc0549e4

        • C:\Mint7A\dobxloc.exe

          Filesize

          39KB

          MD5

          8ad721cb3223c0cb0b022c6cf99d1f1a

          SHA1

          99e1b9322999587da01c53dd1be3aac20a64aae7

          SHA256

          ec4254a666580ddda21c1d4b28a9805a5d6b1bde7d697e49780a04a2f59fd39c

          SHA512

          f6c2d6c678dd330439cd301f544050af076e23f3a04efd8ee991f1744f510706ec892d2d68b699da9f65e2c45daa04d9c4173f2775f267613e4f3c00ac1d2dfa

        • C:\UserDotP0\xbodloc.exe

          Filesize

          2.6MB

          MD5

          fd41b43af8b67c35d086caf7c1b3a3a9

          SHA1

          bb7e14a1463728d07ecc840a527bf4b444c4d3f6

          SHA256

          a1fed6c3fbf784c9f8ec89bc67d568f6359094aea167b47c09e3a4840fdb0bb9

          SHA512

          3bcc9fc9e10dcdfb66b45092f1975dd1c2811cff13fa5364b5ce91db109d91b9a1cee7cd052e40dd6298a4e771884eea5cad5d78e45aa334de5f110b3930999f

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          e43e5b50d75495f8e5e54434f109ec91

          SHA1

          998b92b0539e3ef765f3dc693c0e53b4c3fb886a

          SHA256

          109261c823c5d609c3a90b576b7bbe1e0c4587db5dd05d4462dc0658bf49984f

          SHA512

          f806867e57b1c60eaa6eb09adfe0f0e9e772672d9b1a536384b739f31a23b91d79f2b30a18145893c3d4884c874ed0cdae0d6dd33f5ead1e2668c40b8880d5c5

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          7c58c48f4fefff24ed23e6e76d57edfb

          SHA1

          a3bddd073b8b456e247cb1fc8d317d3e7e79597b

          SHA256

          735f4f8a324066a6f1c731a019ed984ccfa8d5ff6ece333922fd36f22f050823

          SHA512

          c731264bba3defafd20046df0505789900493f677e69c3477d7a13c46ae704120005839161b178497dfd98c041e939d5cc71fab4cc76c949b17af31dae8b6b11

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          7cff24274e88cbe4f976252711957557

          SHA1

          f06cfb56ae41bb0f511dc4473c13694092a7215d

          SHA256

          bb2db57aabe95f3a1a47d6ea6fb107a011b5167f9cc2ed352178c91898f116fa

          SHA512

          404a9d089319047eda518905463ca87d427c699c45e171d53fea20cabd7ec0f8371009b8ed10ce53c13b8266520736dd3a99ba58ea5ba2ecbe687816062eda71