Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 01:19

General

  • Target

    d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe

  • Size

    2.6MB

  • MD5

    f975d76498c7cff6e1a283bcb5a167e0

  • SHA1

    278b1b0092b196db6a2fd168a35c7bde8763e430

  • SHA256

    d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113c

  • SHA512

    b4629ef75eb898a47bda3871d337a5a61856929202689ba83fd67ab0e62a7339ccb802fb06d199ce64fc0c31b759bc08c4335d5dd3e8019b9f802783876d8de8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpLb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
    "C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2688
    • C:\FilesOT\xdobsys.exe
      C:\FilesOT\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2784

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesOT\xdobsys.exe

          Filesize

          2.6MB

          MD5

          4d9cf771fb8e74a81c50672c908d776c

          SHA1

          53284bcaeec8a6a73c8b3514b1e2715c498de845

          SHA256

          e9443a1a72f434f1b4ff26caeb142b9a999a7c5ab2e99a442049c1d6acf5c4d1

          SHA512

          eac6f863c9b02fd4c497baacfce748df9f3371874fac9b62ff8c4ab1a8ae4dc4aa41adc002c4314e0caf26bbc696e06b3b17e64e99252491a47c424712a135cb

        • C:\MintRX\optidevsys.exe

          Filesize

          2.6MB

          MD5

          ebdc35d7254c99def9219917c79662f0

          SHA1

          778cab0923645fd7b82b64146c66feea9a1801b8

          SHA256

          5278fcc45f79b614aefc74622d200753e7bd388b0ec499bc3cea4843d68a0b4c

          SHA512

          4be269edb11d776925ed68d44cd7288152fde38b412646fbef10ae7a7c171cc90e33b3ccad7cae7bbd3dafafbbc6b8f9e512644f21e2df767da17b3651d559bf

        • C:\MintRX\optidevsys.exe

          Filesize

          2.6MB

          MD5

          a1e8daec3c0529d0c84653e594c674e6

          SHA1

          4b4dbbd2659b9766aa856d9fc68b2cd1b9670670

          SHA256

          cc81ba9b96923f610c291d2334f98e804a8494614f0498e4b5d1d5bf4a7852bd

          SHA512

          36230da409ec282d6c7a25b7221cd2ff65cc179d6d5e0c95ae503a2fd71f43c4d58528ec7a874bb22e86954716f1df62e5e56cbbfe1bb51563d243237df421e3

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          34f3c4d39001897f4421795117f84c8e

          SHA1

          76ab80295f178e7e9fba0c29e7ae340e80147306

          SHA256

          e3ef49a601373e6399f416a5c100a3e4f616aa350a57b382876525fb584b6391

          SHA512

          83c04cf1f9dab30b6cb966fc42844775998f38f2ed82b36d3cf5df6c96d54bedea5461bb0b45964c9497bcf52d4f1620c6665550f37441db9f031a89fd6a1548

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          c438ea64186f522af644e1f3d0a69dee

          SHA1

          a7e81174feec195e30047b4f3ac9aa5a2e2c3868

          SHA256

          dd2ff09e6dfd828794000d6f1f19627c376cd239a073dfb5fa39e8edf1aa0294

          SHA512

          469f98afeb76a7febb9c0e268a39fcdb729fe9cb563900b8acac146b3c3e0966c068f6b2321088b9151f30e7a9a50f37942add0ae92de329d40625147ef8dd37

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          efcd8aefdb73e99d0de812d7f113a7c8

          SHA1

          9424344c76ce12dc8c811f785bd90dbaddc74cb7

          SHA256

          a678197c85e5c1ed4c40e17e2d0c8e92dd8d757ac3c965e5767f2cbb3bb8e478

          SHA512

          5cd2c0b8f7d247695b15f2920d4173c7dfd98cc9ab2ffeaace7523b94aa46bdb4667b521b61ab70a01ec99b68aab60d871dc9e1bdd88daca8621c3f90273d7ee