Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:16

General

  • Target

    1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe

  • Size

    2.6MB

  • MD5

    7204795903d90d323e85f5187f2728a1

  • SHA1

    10dd0752e9ed7959ed28b992fdf71df7a0412beb

  • SHA256

    1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0

  • SHA512

    87179bc47902db598fef83161acfe2bf56841bd0586f05c04df683928c2a33fb1d1ddbcc9db48fe498b55d07645e83263ac0fdbcb233f624e484af535a1a89f5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpSb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
    "C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3108
    • C:\IntelprocI9\devdobsys.exe
      C:\IntelprocI9\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocI9\devdobsys.exe

          Filesize

          2.6MB

          MD5

          38302d484aa5e8ed101dfbecff7e95f9

          SHA1

          0cb065a03f3c4f7e595a1bffcde921279593405e

          SHA256

          697def89a6179c2df9f4bfe3e54d37d612101e7c69c3f8edaeba2935915bfe3d

          SHA512

          65e47f6289c8f3e7faa8cf7aeb978eec1d3008bd785490961e55be61dacf2990b78e4a446f5496c1173b1ed9002ef20c9de40b672f2396f1264360a7fe5e1d64

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          8cfa684fd7d4f5801a02a41ca7708de0

          SHA1

          4129299dd9e3d7bd62f3cd0a938b27696dc921e2

          SHA256

          2ec8f58303ff32473324584d5d8ce6bed57e5f92354f4a46c9b8cee0bd65e970

          SHA512

          51054e79c371edf8c884f8d393214a0fd90baa02f8c6bda1b6b733b4560eb2bf44c75045cf8c08b511c019cca14de5c393bb1eb55fd9e244192f6ef04ba4e331

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          72d37e07bb35476f2262d300f7168966

          SHA1

          62a1e037f2fec7b36119ab50b61229ad234faec2

          SHA256

          f1d0cab30eb47d6e63e982ff0c4976806ad6132899b820e06303f7ee6f5380c5

          SHA512

          89bff6e1ead0cb41edfc8e1ac52726724807627b47b2b3e2f22ebdd545af0c77d7bbc4e9d06d5643ff23de02adf0a7989df5581b2644881db6d7b985a6760f5b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          2.6MB

          MD5

          4cb6ee0fefb1afdc96e34c2c288bd63e

          SHA1

          a204c2ed68c762d556bfe5519139ac9806c1d65a

          SHA256

          39765c570b74c9adc3e9396c4d6033763b0ad57ff7706881a6d2e3d8ac29d5b4

          SHA512

          ba6451669f472ad36e9d20dfe8fe42002522620d5a684ae0133c119f6c25c6e30b72d13de2a0d53c5454445e949ef21ee1b6845308647dd8c494ffee8d00f4fa

        • C:\Vid10\dobaloc.exe

          Filesize

          2.6MB

          MD5

          6e994e046575c87249ce971bf644b0e2

          SHA1

          02f69a3bb942ffd12081609c5e0a6d2b85bdf7e9

          SHA256

          ab74584e9f3723de382a5c1e9833e4dad300084896c358de457890003bed5c46

          SHA512

          6d4ff5a44ba5d047c5338522866cb615874c79a16e196196b58f9162a0b6433df2e9dd98c5266797b9a7f8c1616bff29aaddf99cbdb1f1e5cf8c181bfe6d8944

        • C:\Vid10\dobaloc.exe

          Filesize

          11KB

          MD5

          6e48912c750d2a4af218228dfe476e8a

          SHA1

          8f0359cb3b03fc05f8d0ae4252aa2f0f938f5489

          SHA256

          6b8e8492afa8a73802220d65a0081445b52649c7adb41c2a83e8b252554e2e40

          SHA512

          94858d91585a291b7d07057ddfab384639fda1d9cd40f60502ac2f6de5e4385ada01e9a1a17288f7fa3c69de4f3c0817e5f1fa0a63251ef7975ea060e3ee05f5