Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:42

General

  • Target

    668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe

  • Size

    2.6MB

  • MD5

    94e10e447e2a27fbe826f53226aafc60

  • SHA1

    0cf3b90fbcad5eacf96fbb85ee2ea9b675918b8f

  • SHA256

    668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61

  • SHA512

    3f4b0a685bb2d64c49689406f7c140d9488c64b53f154e69667a738f8eff66e77c29b8f341c32e4052e38ae8ca9528ce4700e7abecc7ce8fc772b2e971681519

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpYb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
    "C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2808
    • C:\UserDot4V\adobsys.exe
      C:\UserDot4V\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintJE\bodxsys.exe

    Filesize

    14KB

    MD5

    5ffab038d17d47771c031d3b701e0cc5

    SHA1

    74d331d26e5210e7e523c750b0080e1641bb61f5

    SHA256

    1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982

    SHA512

    fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec

  • C:\MintJE\bodxsys.exe

    Filesize

    2.6MB

    MD5

    c18410dae2f8f403e9119c90d20f9350

    SHA1

    3050df89e1d8a12e6931d85290f57310b97156b3

    SHA256

    cbc6098f1ffeebc297284f32d23888696b800239c85097e2a83e995736cf01a3

    SHA512

    b68d08252e6c0375195ef830eb4013dd69be6b16cc2ddbb1b6cd772e107f3fa600dae9311eda18b728c60ae4c6ea024a62ea43d6e531307df14865f134ee700a

  • C:\UserDot4V\adobsys.exe

    Filesize

    5KB

    MD5

    b1bff5461f6eccee15bc13b90b862c37

    SHA1

    9b68b3e8bd60c2c4b00d1ff961e9c20b00350466

    SHA256

    31ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498

    SHA512

    fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0

  • C:\UserDot4V\adobsys.exe

    Filesize

    2.6MB

    MD5

    246b1ad5d4e63d93358cb17d9c8e6f4e

    SHA1

    9b8ba61df6f3fc44323e371a5919f8364f2ec712

    SHA256

    4dd27231988530313ac5252af1c0be1756195c16621a7d5b8e2f6274e04b08b3

    SHA512

    c20b4f1d84be999b582343a681c8a9480386e87c7523716fc5c85903b93e87866f19d7aec334c897d0f37c1713a7df3bd874e82440553939c3b09c946f1a8589

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    50cef773ffe689b44d7b1b7cf47d18d6

    SHA1

    330b7308674bc7f70e83f52dd2ceffda94934dc2

    SHA256

    17d8ceb214db6e0860064c7df1f366b0d0a11399fd8866a1dbbd004f8a8268b3

    SHA512

    69ac24ccd4453110dfae2b30a38c90e8467a6bf9cedbd5a535e0942a74b324e814007a131cdddc7cb1cc7ea16fadbd1d502e715457bcd07548c90e07d881c4df

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    aeb384f1e097ea21d505bf5ca2c7c1a2

    SHA1

    828bb63147b318e28988954fb745cfa007a35e12

    SHA256

    343aa316bc647a2651641fe3ca303ce2030d4c35e426bdc31a4b655797011fd8

    SHA512

    bdfe85dd5268ad255e9fdef1286e03aaba2143450a3b7a984086e9b81a2ec8934ef3184044336ff009c30d706acafe79d54233834a3e9381879aefae3607acfd

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    52aad5152b34da661b520fb20c24d729

    SHA1

    1cfadaa19d566a7d114a70f865d4aaee6e36fc66

    SHA256

    5d3ed0b5e47c42157dbed8e29c6f64aa9ba98b0c6d2e60430fe02fabbe1fe310

    SHA512

    be2b5b137a0214e497fb0f5a5a1f6e42d50e0d4b0738e2a2786eef7e220069689138ba0fa271ae8e76ed06c5ea4a045c62deea78ca5b910aa9bfbe03992a26f5