Analysis

  • max time kernel
    120s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 23:54

General

  • Target

    8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe

  • Size

    2.6MB

  • MD5

    cef5dad727471586603a887b866d9920

  • SHA1

    12971557a18ba400a88978d45ab759f7a35d70a5

  • SHA256

    8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420

  • SHA512

    973f8bff66d20814b9a167a6b88209524865d30dd0b397cfcfdc34fe0c49b981e7ecdfe9d25b9a375611871725e483f81d6128b63523dd5873093706e1ce72f5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe
    "C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1952
    • C:\IntelprocQM\xoptiec.exe
      C:\IntelprocQM\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1984

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocQM\xoptiec.exe

          Filesize

          32KB

          MD5

          b49076433c0bf84919c9872909ac9b4c

          SHA1

          62ccebdcdf26aab3095a02caf388459acba54554

          SHA256

          047965653df12ad8344f021b1f08bcf8f2c1d61ab509d61b8d166ad7b0aabb99

          SHA512

          13bf6e46756787aacb11302c4300040db7eb4fcb38e7f33accfd48dab2ec6ed3056a5caf7212b585485fd71396d534800f9bef245d814f3af4489df0ab3f07e7

        • C:\KaVBQC\boddevsys.exe

          Filesize

          96KB

          MD5

          b1954ab3b29ab75b3c0afeda3ebf647a

          SHA1

          0fa156f8d5683da2ddd78471bc16a05c6ae92fa9

          SHA256

          6b87c08dce5d7efc92b0dea47aacf0d55fefd496178a2945e9ad9e57aff9a689

          SHA512

          232c3cb2ad961377c163512d1a2f74ef143f50499203c4e34860f6b6855aca60bf61293bc02a3299d2817a8109cde4bfb8862fdc3c3e5f8b1b507772375ed8a7

        • C:\KaVBQC\boddevsys.exe

          Filesize

          2.6MB

          MD5

          6df3ea7cf1922861c300217ac30281e4

          SHA1

          79aea208bfd51165575b102d8af637d3ba656f0a

          SHA256

          b6ef9da2a90b10a5a951fa3c7b8b953965947000bad00ee7d9830b7b1d6fdaa1

          SHA512

          52605efa6b6d1e6ed036837c55d4fb1c2758f6f8c3edaa0b66a9f29709176a7683bed1ec154a0f2e570636130e2c0c06608afdea86a4249443e900897a275a15

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          9595c1818b00bafb38949942e9a08cfa

          SHA1

          e8d0614f42ff2868760a0101ed3d0c6e439c3709

          SHA256

          6315a7c261c49e0e73276cf23a126806ca32112c2ad48653eb5cac4988343a96

          SHA512

          a774626e5c10f2d444d3c4f23032769124088e96ed8623b5c0a82e0f7ed16c97922d37b4077d57bfbe98bbd7174752610f75b67d758f193dbc4d93edc1ab4a30

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          b0a401153266c31081af6abec2cb5753

          SHA1

          b4d6a74df1473eca6e68be9de730900710cf52ac

          SHA256

          81f1580aed3d0608d1e5ca2e1d5736b54635b95bb0885f050fbe6c69fb5ffbae

          SHA512

          d31c99b9de0bd9279d6968cdf7ac54e1e77dec382d2b5064d8de8d0d9093aa652f98fd9f823cb49b6d11a57a993570514a62cef24198628fb49658f758ffddcb

        • \IntelprocQM\xoptiec.exe

          Filesize

          2.6MB

          MD5

          60e2bcf071cccbdc8430c7cb146c47d0

          SHA1

          c1939317d3ed8ef67440ff821f74d1ded453021d

          SHA256

          1231066abc78ffa1f27f16c2aff8b9ce019bf17de2e068ac9a30677c44775e88

          SHA512

          630f5dcfab9d96671692226d278a9818aabc1279fa68e03223e943c3a05544cfca2b27b4168816cb0a0911e9d61deaf9fb029da6d470421cf1dce6da208f29bc

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          2.6MB

          MD5

          2b2a1de9d63be333eb0655fa1907606d

          SHA1

          1bd5d48a480ff14085fa2b4ceefb9f6147ba6164

          SHA256

          0269d2b05114f2b92436d974293b0656bfcf6ec5d5f9cb1ba76206d88a655bb2

          SHA512

          b7f3cb82e356da49ae0d3bcfe58f9b7ae46efebdc4c65dae0c2e17f3ea6cdacf44881686054bed33c355301c5a43d01d77b3279dde7dda835c34042617766976