Analysis

  • max time kernel
    119s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:02

General

  • Target

    dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe

  • Size

    2.6MB

  • MD5

    2592424d2fc5fed0e389c9ef93d1ffc3

  • SHA1

    cfa1a620ad2808318c8d4f282d474e0fbb4556e8

  • SHA256

    9f162b3ad9ca4820511ca82de5d7b93bda80f37228bff0b996482b207e2c8260

  • SHA512

    5d769a726a5c2f6e3f126682b97be67cca53fedded8bf313d85a858df3458001c78e2718c32772ca44c4594240e842253f254a6f867f7410b995025fb3f61f7e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqi:sxX7QnxrloE5dpUpmbVi

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
    "C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:212
    • C:\IntelprocE6\xdobec.exe
      C:\IntelprocE6\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2168

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocE6\xdobec.exe

          Filesize

          2.6MB

          MD5

          97a00bb265163bd1f186415674706d9f

          SHA1

          fa4f8c1025252b11c18ec0e826e893d9faa4a4ba

          SHA256

          12cccd825c92967d8f488c97cd4cb555586873317400553f165afe07903b8860

          SHA512

          ddb809f3ad6f33bf6e0964a133a2bd793915582dabd8ed3e76ff470b3e824a2cc5d713a49936ac05faf2226b803f1e22867be10bbffe91ad16c4e68380fd810b

        • C:\LabZQB\bodxloc.exe

          Filesize

          2.6MB

          MD5

          21cd422ae2a59f109ed92f0e34ba6fab

          SHA1

          868ed47a2d5e31f9e0bb4cf6c6fc7b849d72fdbb

          SHA256

          684378f6987ed8be87d5568e40c5b111e3d6ba10c24c36bc7c1e7eadba398caa

          SHA512

          b650c64718462ae31dab8387c44e54f4825c688c5bbcbe7cb947469889508615f56ce2eb5d0cff3069f68d4ba60e6cce7d1623d36e8b7a0835d0a000a5ed137a

        • C:\LabZQB\bodxloc.exe

          Filesize

          2.6MB

          MD5

          be144084ffe3fa00ec6455b5ebf48e64

          SHA1

          1dc36a5f3f80d4a75a5d008282cae06cd09155ec

          SHA256

          10e07599163ad10f7afd64d1fccc2929360457898f72795dc0d9af98c27922f3

          SHA512

          52359480af1b6d7e0046f179b4289c6cd56e495e6da7d680f095db2bb8e0cf0ece6f2bb172bde590fb188e4c0631e41c017bd7a67bab74732b4173ac8010a1de

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          b0c2889f4af3df2755ae627aac2905fc

          SHA1

          67e893b26cce1be707d15a1ca7ae5bf1ea6fd8a8

          SHA256

          662295bb5eda94fdb0a1e0db99832d902ae864b46f78058bdd0a2f1bebd5e269

          SHA512

          bd35f5f8b203004893c948f4a749c02e76891b3514c7ecf7c45099616cf68a2fd43cc15ea489a597f7656c9218087953f308bccac2a8a99efb4a8078ad349597

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          3c41735be421f0031c173266fcab47a6

          SHA1

          fa2d12e75806e73c57ac769b074275e416ab1457

          SHA256

          2550ece781fe1249c86c2d4ceb36f5de964c49d6b648eb64a01e428809a2c0f1

          SHA512

          9d6de2239d5389a7e49a747a48b4ffec3fd1ceff5fcab47a25f9b2f243870164ca1a2b16ea30cab2a16e4805c4d1f5875866fdb57838c8816f9c8e31a0a5ad6e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          7c939a6d3980cca2f1b0d21d9c900fe2

          SHA1

          c30f5d50bc4a4d897d7af552ed2b26bd800b06ed

          SHA256

          0989bfbcc0274bbf53324ffa6d9fe130cd34ef86b62bd09bdf9aa6ad5fe4a429

          SHA512

          c55f07809658bd829f84220f5513309d2ae2134df7a3e6c90f471097870e5fb2e7747828d2bf7b30d45cba97b2b36d4b960609e8bfa030e9fe0e9e0a4ba48a51