Analysis

  • max time kernel
    119s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 14:25

General

  • Target

    53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe

  • Size

    2.6MB

  • MD5

    39e078a66e22cf574d8ff712bd217040

  • SHA1

    857a3a5925b81392e954c9d98555d15433b190f4

  • SHA256

    53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628a

  • SHA512

    4073d533a854238a8c8ca21de8a9250fab81be71512c692803a3098237811147ab89aa5e4faf2794c89d46fce20a9833c4c163fb7f004aa261663cc60e10e1a7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpYb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
    "C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4636
    • C:\SysDrvDO\devdobsys.exe
      C:\SysDrvDO\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4092

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrvDO\devdobsys.exe

          Filesize

          2.6MB

          MD5

          faa5e30d9a6425f82c4a43ad3f7128c4

          SHA1

          0b1825d1f380d1df33cc06e56ae96ba7a96b2cb3

          SHA256

          2772dbbd7b43364cb32b4201cc955b0f1d49c73579227cbc34e5c775d4e72847

          SHA512

          d6dc8be14930f203be718c5d917a1b70addc34da493101c296044390db25cebb8887dd385bb43413bf3fbf9f978c379c2f5d5704040d599737eaf9e7bf81cfc0

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          459a99a71e2d8e9cc60a4563b5f52fe9

          SHA1

          bb50a372d9f75e246489ba311cdd623d98f2b81c

          SHA256

          6d5080d9e23adc45756388f15e565128853195d8bb0cb768fcf3103b36015700

          SHA512

          3e3c50b72320b0a52f6f903ddcaa37957b27145b3002753660a9c772d9d1fe854ed5952dcb0dedf34c2f130fcbe608abfab6790968a4753210b9aa058412576d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          5a6e3c1c9f7e1a74059f6e6a015ac58e

          SHA1

          bb24d48118cf4e43c0d506c3a883c83a7c9419e1

          SHA256

          26025d00e054ec13b590e57a487b67c42b301021e7991c2542ea3fc175e97236

          SHA512

          c8603bdf93f88e3bef96ebd08d533638cc6acb7e32677153894573920312ecade51e92cc9e94b3965f8493d2c09ae258631ecfe2b7f30ed382f70e8e7711c12a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          2.6MB

          MD5

          9c1f95c30d0df407e6420750f0acf6ea

          SHA1

          dc9ed39bf7cea44be3abc0dbb7088b4aeecc7749

          SHA256

          9537c6a5c16ebfd543a4c3ecf7c5b494adab95726f006b336f85896c77ba68ef

          SHA512

          b845d14a93dadd257fefecdd1ba98fb56c0bac9ec25f010956e65acab9641564aaeca57ae60221488c649c0e3b0862347043547285c56aef0fc8a4d88284a181

        • C:\Vid96\dobaec.exe

          Filesize

          2.6MB

          MD5

          74f50117c9488fa9586bda35f94b3e55

          SHA1

          a51137d6e0f7689cf84394f0b8f23ecc36024406

          SHA256

          811039afd9800f5ea38fee610ec8bcad7eb66f7dbe6a9ed138fd21944ea0abbb

          SHA512

          b3af9a45b3812463a302d5e6775fa15c37ca8caf2c5765c4618bd2d65781a7aeff7957dff37ba93913d949bf226f741f8518dcd47f857ed23d93e5c20642547d

        • C:\Vid96\dobaec.exe

          Filesize

          819KB

          MD5

          34ee2b334e40e599e0c77af66aa86d3e

          SHA1

          fe88ac75f08e6ceea4c20bbf39cb37ab06a404e2

          SHA256

          0140b8d5126ada1ed6de6db7f40090d8cada8143c22f7edb37e219f6d1508f37

          SHA512

          f3d35584f8561de5f026de6367f19564fa30ba8a8de347eaa1957d8fc4235859239078eecb69051ee833a936a7b5fb21738814bc6e6641581dca7a56fd32dd73