Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 12:52

General

  • Target

    7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe

  • Size

    2.6MB

  • MD5

    f0b744b1415c66f734160a603184c720

  • SHA1

    3e3eb1b6ff0da239fed74b163db964a07989b53d

  • SHA256

    7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2f

  • SHA512

    2eb3d293682bf0599ea86b7d455818f3201d0aa71a2d0e14ee43d5f9f63ec608f370a2ba299e5362906a244e402d58377d9e2a940d35992696e7f291a2eb6d76

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
    "C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4984
    • C:\Files4L\xbodec.exe
      C:\Files4L\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:936

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files4L\xbodec.exe

          Filesize

          2.6MB

          MD5

          3274fb7b1e41af62f5e1599fe37975bc

          SHA1

          edb4cef9f85e9f2da43cdf7ed7da32acf0966791

          SHA256

          16293dbd4aca13eae316c035ac521dc1e8b56ae2eab0add4f857e1b6252e2c92

          SHA512

          1e82dbda15b85b1ec2750fb528dee396dfdf037ab58eebad2a1b08fb77fb9d63643e0f9637b94e78aa8ca1197ed7a0da8a9cea286767db5f81800854d7fa5f65

        • C:\KaVB6W\dobasys.exe

          Filesize

          2.6MB

          MD5

          5d02be3d7fa3783754a6a2a261804e0d

          SHA1

          8816b8fc938856924030544a394a1f4349c31eda

          SHA256

          8a549cf241ed5c0f1590e134906735461218856cbc5d5a59f9a82d038f33f4ef

          SHA512

          18a6dd1c8e7cfba70edd0507cb49de504247d3f40952d4a91081aecf9a3c297b071d44430ec44ddd0296b6bb794d2096fe8898bc346582d51a7a7b1f46ddb35e

        • C:\KaVB6W\dobasys.exe

          Filesize

          903KB

          MD5

          8061bf712d9a838fd6dc7b1418e16377

          SHA1

          a55109db63df11e56306f4e26a51656ac532fd43

          SHA256

          b239ffc41b459f36a0f56fa3a57061e32adb4d09fbcb92ef6e30386e387ae9f4

          SHA512

          33a4b8edcee731d4c6e726e7298ce94a10cdbdb116b422c8476fff894fef2379ca44f111134bff736a15962e7c329bc3dd74302da26c46cae0e00685b50ffc23

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          b649e013f0a558a09cf03599172d0731

          SHA1

          1fd7a9df0fe2aeb3b22d9a0c96967d89f254db89

          SHA256

          38cf65c2d026a8ad26657aa7b487466c4f0b33c04d0d61f3a6cac8a1db947b63

          SHA512

          9ddae270f4de77e0c314f6c0e1525e59016068024b2eee38df52b3393d44202bceb483a4e69e54e5a9cbc28050fe3840df5637aec5f08520c57ba973eb8140ea

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          7ce02e981e1405b6511c95f11a5c9515

          SHA1

          b1bc2c9bfcc89ce7a2f1a37e9d32ca410ec72962

          SHA256

          2669f8b48e8e65651a37d3274859d7c15245e2ff57c591202da30e27263a1f79

          SHA512

          6c591376e0dd8365615522e3f77727d5f004f9b5508e7d00555c85a66d849dc850ae86f109cab14338db7f74c2adc989dae4d35b5f6611747fff9766eefb10a1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          7553c1e5bea01a916c1ad0f70918b82c

          SHA1

          e606f6e17d32542452b76520bc017c8c50554ca5

          SHA256

          92b431922676a7ae1f21d85a15805f963ec798a6a69fd7fa39add2e117a387cc

          SHA512

          8b30879b4983651ba6267dcdf88d152b4741db5bb26feb496c5a63d4f478947ffb036f699a8802955412b47667933fdcabaeac2a1a70ecc481182c6371376ffc