Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 14:54

General

  • Target

    a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe

  • Size

    2.6MB

  • MD5

    5fd1eaa5bafc7b3c881b91da1d0e0ae0

  • SHA1

    fc34e90d58f6e4d457fea938a790713b58e43ee2

  • SHA256

    a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04b

  • SHA512

    87ca8039307e11b974a1c3fdb891defb14f7dd3096397813d80ae443c36a8dce4608d21db613ccf76371d183a1a099222eca2331fb2235d672bc1bfd16f36049

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpKb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
    "C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2484
    • C:\SysDrv2P\devoptisys.exe
      C:\SysDrv2P\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2060

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintQG\bodxloc.exe

          Filesize

          2.6MB

          MD5

          e22b211e4c3a14d8679472a91fa57309

          SHA1

          2798d43cd1213b41d2e6c96440c86ca624783736

          SHA256

          c97755b61fffe077638a97f2535729a6299fa63706ad9a42962b163dd0f87710

          SHA512

          0ceeebd90f81e754fc340a452c9336c163a1a7d08e5b6c5beb2b0ea70bab0ee212f5c6add386a536ea9ca112ddad919a9b392d133a17ece96acacb28478b2c9e

        • C:\MintQG\bodxloc.exe

          Filesize

          2.6MB

          MD5

          189ed192d349acd2a83ddc2a288ceb1d

          SHA1

          fb475a47f96cabbd115dc00105ae0edae7798f61

          SHA256

          6af10c1ca9d8a216ce7d79fe510761f1a93cde6933519781e994bad49482fae8

          SHA512

          b3c43dc218b9223ed27d3980a6fe71213e12b6ff6ce52f4740d204256ec42f667bae4e33fca58a0a079ed9477306a2214641d2028bac427e193f75745185f9a1

        • C:\SysDrv2P\devoptisys.exe

          Filesize

          2.6MB

          MD5

          a4d61fa0d0ef10d83e911cbd09f8f9bb

          SHA1

          4445de2827595773d68acf1a6282be19c2bfbd5f

          SHA256

          8c6e61a563c505a916f881c5857a9133c1ffabd7108733cd8fe8d7f23a7af81e

          SHA512

          273574fead5d0878977c9c44d4e1ecc182880fd46ed72ed75e10492c03106bc1ac53e863e06bb99422137a8bec9d27998789c46c3963534b4d376cc6c9f8a9f1

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          da257bfeeb38af3fc37155d3c1e465b0

          SHA1

          13213c8afe982db6c9edd009873ca48c747de6f5

          SHA256

          343e5e84610efb515a7a5e4d0bb2d61456e1ba25b10e27989ce20ae6e8fbeb78

          SHA512

          308a3674471eca924b7592dcf40777e9b0fbf96ae54b52c60ed24962a29bc869b34145d3111e5e8681a648dfd7295692670597200344f9fc7225a789b9a07096

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          706af30d638f1719b15fddce114bcd7d

          SHA1

          a1a61a334e00ba6ca0c93899f1c83d35ac67742c

          SHA256

          d00f1b2007caf8d4a8f299fca71aa990b7877c3a6eede409e3a0ac5ba60522bc

          SHA512

          d1dbf1a901ba3634c5756b0878c1a9c5d64621801c4bfe8bb22408597967ab6e211d57b112d077ccdf30471c702bb208c2ccbc1600f3b5ae47d7fff1da27a8c1

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          2.6MB

          MD5

          1dff1f451476e3f9aebc190ae77f65d2

          SHA1

          29376e1f6918b5d738eceb96b2a9d315ea5ff371

          SHA256

          4867f15676cea68c8ca6ba8113a215c2092688c263077d3e9a6bb211aacf3dc2

          SHA512

          777e6c3a7b138dc25b5d57760400bf4c81b0e75be1ed5dc3823787fd2eabf927c9ba482056114b78e1f68fc27bf935df4d246888b2494a5592fc504c0e28100f