Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:19

General

  • Target

    a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe

  • Size

    2.6MB

  • MD5

    d1d59df8ac06d0567fe91e5a58b7e062

  • SHA1

    66c0620362f5d81606d1597592611a8009da8f77

  • SHA256

    a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890

  • SHA512

    80e49a9af30a1de1b6f992f0a45e8b3ea25d251fc2c2bfe450d424909bcf5f675c01e4b45c2c35ef76cf2d43d01391b945dc570f887f4ea867fce4e0604aa08e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe
    "C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2928
    • C:\IntelprocET\xdobsys.exe
      C:\IntelprocET\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocET\xdobsys.exe

    Filesize

    2.6MB

    MD5

    2bacd911df1a49635b46abba710bd824

    SHA1

    c5ac80d3b9f4766c6be1c17be84ecd1a3c3a0093

    SHA256

    ae70897c515d5f59fac6a0f3b2b20537f770dc7e528280579628acb84104d9a3

    SHA512

    67341b1fa6a40236b79097bd7a7aa16effd27ca775dd21cbb11143f7fec7e12aa2d1182ee988278641bdf949a88728c30264939922f00db01f0e5445e2c84311

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    f91b2dca6439425c2cbc210698b9c449

    SHA1

    e3877ec3a070b4dd248b49dbd05af3f3a2e09016

    SHA256

    a3b57dff8a8be34716fecd03099d8af0eb3cb68ff07a414fd8fdce502a75abce

    SHA512

    2af1deba4116333443e2575428dd001dfefde2e80d53f3918cacf4f319e321b91f612a3ad0f13a1906459f0603997f21e203beefe8ab79e4b6e778269cbf7e5c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    e75f2b5c4bbf0ec2dc65177cbd0e7591

    SHA1

    539533ad6606ec281eb7ae2a1ed7409d05fcb668

    SHA256

    2eaa548b8599e7b31f6d6ac22f3907df3aa681142cb2e96a21dcf257e9488f3c

    SHA512

    13491af895687aa18be519a9ac004bc0ab842879d295c5221beaf05f4fc9eead531c555e517dd7dcc955098793678b3d8dac130bd0a61750624caca9fcdccd97

  • C:\Vid0V\dobxec.exe

    Filesize

    2.4MB

    MD5

    7365bb9acb86142af5e636feb89c014a

    SHA1

    eee0acc99d329cd9d231ec63b9ac6c47287dfe3a

    SHA256

    830841886b0efcb5ff451cfea0465677017cd21b2733b0599ca73c2769c0a202

    SHA512

    839e146b0ae091159e80e4c8ac49dacca1a58f0f053bc38958058541c22341d280ba6f7dd39251514f1ad1ad0be2c566c3784c7d89130793b4f493bb2952dfb6

  • C:\Vid0V\dobxec.exe

    Filesize

    8KB

    MD5

    b6a3be42755c871ed4a546b6cfb8e5e8

    SHA1

    45db3ee8541418f154843d4a791071b3c3c65177

    SHA256

    1b3fa51ede60d19459b442b532eb4b1d11097bb17170bf5ee14f3ea9b861a657

    SHA512

    a8da5f15c36d992cfc7ca775a317e0993eb466cea69d4ada5e081faf4966bd49fffeba4f7da600f3f85df157c088f8a8667bf63290d81e9aec5b08b27cd1e42e

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    4545f26df325bb8bc5b1b3dc8286fc81

    SHA1

    c62481ce316d2e27b1a346840a045de984dff0b6

    SHA256

    8e89c3c8efbc2e712a7c7c83f6c362be3587af5554d75cefb205d77f9b1e62da

    SHA512

    2d1da95806191716381e68216b50acedd12c50537211528c465bb482dc2bc5afe53c21973f21c823afd05140aaf4f9c7b66e01905eb4f0a24cd04d0e2bedc71b