Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 14:41

General

  • Target

    15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe

  • Size

    4.1MB

  • MD5

    1474a1f70a6f904a5b2ab7667ae7d250

  • SHA1

    02f5a85e1f974db2e863fcce355cf4d31069655c

  • SHA256

    15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbd

  • SHA512

    cf84e3944adca2cce6d2620d39849154dc78e045304e1c971dd1cbc845457e493b4dadec9ad74fdd63da0c0b1cd7a8e4f77a851397bd3c18590f994eb827373d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
    "C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1544
    • C:\FilesJH\devdobloc.exe
      C:\FilesJH\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:872

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesJH\devdobloc.exe

          Filesize

          4.1MB

          MD5

          a196bb8b4ff0261d2843a63fd47cda7d

          SHA1

          2ac12bdb281647f970a826640ed0b3e95597b3b1

          SHA256

          2a84dc62fe70d70e54b26e8d79349175c169364497e281a9de39f1debe1478be

          SHA512

          f4d09f3f127e42e4ca1a6b121e06d02a679a7cde5ced18563fa3e4da8b6c892cb5ff1b3d638194c419b3b73a9123598ab9d97fe0b66fc1d835b1647dc13c35a8

        • C:\MintKL\optidevloc.exe

          Filesize

          4.1MB

          MD5

          9ab5fa40d725ac6a41b543e625b7be0b

          SHA1

          1d82fd3a46c49014467bf91361e837d3b5a96410

          SHA256

          a016dfa3b01c1fa8e9e46414f55fe0687369549d4facf11750894f228db64a56

          SHA512

          68d96a2fafe5ed12229063d1b3f96d63f28003bb64afb60034085652602815dd4a3e4528c57dcfe31f3585c6010d7acedffd35ba5378d0f9dc211de5e6cce9ce

        • C:\MintKL\optidevloc.exe

          Filesize

          4.1MB

          MD5

          ac8dff9524179c2fc3299054ceb02add

          SHA1

          6ea8517941f2cab58fb076281858e973516a3044

          SHA256

          3c95146a217650c861598dd57e0fdc044bc229e41a12c5aa56911a580c414f20

          SHA512

          032041c453932c7d307ee72ea8b96210b205d23ed2fc54c28bd15d817835a81c594c95943ddec2046c2b8e29de3f8ddb57ffad7277140b63d347850eeea046fb

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          305fe4e47519e22918aab150615832e8

          SHA1

          f3014d1d86ae70c4cf01253421254a792ca47756

          SHA256

          8c5e1513096563d12d916cae757e30053f2145383f8ec29c022de295bdaa4106

          SHA512

          f0ea2fa934091a01b5e7fe233f145cbe23903cfd6aa50daefe9bd6593d011f291a68c4bbc28750f0e25f92ef5031dfcf3a7bca706311a21e60863d03a9440ac6

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          fd077b004664e4ac64b427b58b0d63b6

          SHA1

          b5f7d4dba95ac5c69c0d19990bb786060e533014

          SHA256

          d7c904d14339b00ac963279e49b10b9ca5fb6ecc419cb5a76a2fc12866a49844

          SHA512

          84ff8c61127c94a81ce7680cfd145f0a81d5e95934e14a3b8553b0d43c4e0cdfe05131c09c843ad337cafc757bfef70f96de6a40d8f5f6f8f4be14af11d6b857

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          4.1MB

          MD5

          ec24a0754d21335c2e21694968deb460

          SHA1

          d25219835331a0718a62dae46b4fcfac747fbdc1

          SHA256

          7a7ecd29f6a4d74eaf696bc85dc3c3aa28d02fc7ed3c504ec67cf42dee43b966

          SHA512

          904c9d1701ab7266e295562f8d5592287253476143d251d777136d1b91fb4dd3bed3fabe7acd3d42c876b5860e25a4d44c5ee752b197a4e47194bebfe699d97a