Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:30

General

  • Target

    22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe

  • Size

    2.6MB

  • MD5

    5de6be5c30bb2135981ae6980539632b

  • SHA1

    8e3d53cdf18a38a840114294342ab829d82d254d

  • SHA256

    22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f

  • SHA512

    822bb6bdfcc1acb0a56efe7b8b3d1201898b13196662d80e0c8c736191874c67430b32f0d65c8c3295f8fd0689a2dce36313d3d98a657997091b873ced15ea53

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
    "C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4720
    • C:\SysDrvTN\xdobloc.exe
      C:\SysDrvTN\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZW7\dobaec.exe

    Filesize

    2.6MB

    MD5

    eb0854f1c4599efbeaae41929be8ab2f

    SHA1

    1e536113d97980522ebba0fd8b464b85dfbf57d7

    SHA256

    f9396c26c643eb1c9aa792a5a328848358f2e2f86db37464c2472ec9c10a7f56

    SHA512

    fea419f0d4f2e1cda3db0ffa8d8de2256c2356c96e3d0977c8d253eb1c4035d68de8012ffe7f7e799b8773e284e9cf95f7013397bbf200f98f9e15b6020c37b8

  • C:\LabZW7\dobaec.exe

    Filesize

    1.1MB

    MD5

    38542fa3467ce24e7157648d0f5318f1

    SHA1

    76d5e7462d48089828af1f57785dbb52297f6680

    SHA256

    bac4442e8f1776f41f8ed0d21995a1f810633ef8dd18cc6d7c08b3c1a2b208ca

    SHA512

    121ccc105a5a14455ecf5231be025f16ea5801ef773e239c52640a922b76b4c0ee7dc9b14d0fa5edd733db24f70cc491eab1193acaa10f460b9360082424d546

  • C:\SysDrvTN\xdobloc.exe

    Filesize

    709KB

    MD5

    f3d5287ec8792bac099aac22ac08d1db

    SHA1

    ea746e06ed26a0177c811ee7ff97b97e9730afba

    SHA256

    52adb8b87905073cc6cd29f095b19ead230f8527976d4eb7c9751442a953c6ff

    SHA512

    043f0fd5025e71fa7a1f7bd38b3ecbc6dbd7ff2b960abe801212c562ef2ce6103aaf33b1aa236a74c38ff11fad7d47dfd1d972d8cdfee854282c9315fa43ad44

  • C:\SysDrvTN\xdobloc.exe

    Filesize

    2.6MB

    MD5

    782b332ae238d36d5bb08c01e5b8733c

    SHA1

    7eb97d397446d0d5fa4c9eeeddef2213e110f831

    SHA256

    cfe8e64c1099128bdd6e2299d5bcdaf0158b238fd63d1bcd2bfaa0a6a9d4d253

    SHA512

    17179933608478ade6737cc272dd59530f4c44881adeefd48dae7b9cc3abb09090cac368e190e24a576f72c06cdf7f888243ef6c6ba81a683be96baa96fd01ca

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    0397f9679454460eb8be34c82e6474a5

    SHA1

    a8b7be9cb1ee3c6119040f4dfe8077dd3d134f54

    SHA256

    7040e03ccb59e6bffa4e17e9fb0c6f8e8eaf8d4e56a3ca142257e91297c416bd

    SHA512

    d475c0e007b4a32decc6e12b31bd785db37e8e34288ad2507cf7c0c4482ad28a3fb5a4cdc85eaee51745b3c6428b27ff6c31648daba76aff65411cc4ff8f320f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    55f62cf3de962006e476202e364b72da

    SHA1

    a05534aadbccd9335b06cfe577cd36deefd4952e

    SHA256

    9099c54dae9f03767c4198ead281a8889c95387f6570bde6a170c3312571a31b

    SHA512

    6779091cf1993eb7ac2fd3520c15528a426dfc4488a83f07738b115572ddaa224df6ac73650acc2b669b8fa911c94525b41ec02e332394e2ad72b31c0fe4bccb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

    Filesize

    2.6MB

    MD5

    c1fef6edc73a3103a3883d7e02a78ab6

    SHA1

    7afd289a4cfef1c66bafab50c684002767cf4f6d

    SHA256

    3c26edc6b8336656b9fee07845585ca88cb29efd8a4693b138731957d8cca1e6

    SHA512

    0233dba2cfb6377008c1f7532900c01fcf0900e068eb13dd1dba35e8d252a926ebad4f2c65b1ecd06471f0cc618ae38002d7842cd4252f12144b052efad1ddcb