Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 22:56

General

  • Target

    60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe

  • Size

    2.6MB

  • MD5

    06a8ce2ed29c283efd02f9ba5c161c33

  • SHA1

    e837f4f40a14ca7563c207c9d29115a666a0fdf6

  • SHA256

    60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1

  • SHA512

    02b1250c811b50b4d027d559e52fd1969defb177665494244c6c18f9078c44c525c7a029c16ca35a9a65949386258df7057386393bae096b3a3ce71e73dc46d2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSq:sxX7QnxrloE5dpUpvbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
    "C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1904
    • C:\UserDotBA\xoptiec.exe
      C:\UserDotBA\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2008

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBUX\dobaloc.exe

          Filesize

          2.6MB

          MD5

          15a24bbbb4b3da458cd9c81afe74a881

          SHA1

          8d4e31ba6298e565e1011e7bf6b1a43b6d7c34bc

          SHA256

          2a64f9c9b8b4a6c35f9404de2a12a8e8451f4309ae41880bff7e8633a0e1672b

          SHA512

          0e48aa45fccb6f04a24d55852eae74434e19cd39a4dab64d7e824ed3eca0c0ac6a6f813eb8bbcbb09c8d3f61e03d65d67fe8b3d06ad82c583baf956bc28c41c6

        • C:\KaVBUX\dobaloc.exe

          Filesize

          11KB

          MD5

          6e48912c750d2a4af218228dfe476e8a

          SHA1

          8f0359cb3b03fc05f8d0ae4252aa2f0f938f5489

          SHA256

          6b8e8492afa8a73802220d65a0081445b52649c7adb41c2a83e8b252554e2e40

          SHA512

          94858d91585a291b7d07057ddfab384639fda1d9cd40f60502ac2f6de5e4385ada01e9a1a17288f7fa3c69de4f3c0817e5f1fa0a63251ef7975ea060e3ee05f5

        • C:\UserDotBA\xoptiec.exe

          Filesize

          2.6MB

          MD5

          c2d362d2959f546278d3b7d897bc6aaf

          SHA1

          a0ed657faa3ca589791dcf42484ff82da29bae1c

          SHA256

          5648f01596445059551a1d2ec14c000fc0bb6fb699f03dd2029ff3b099e70a2a

          SHA512

          93da57d160e8c85f5bff99b5faa5d2ae452929a0e2cdd2a0bc7db8facfb51f09bffed2cfcb40204f7afe3d8f036bf39e0d5e4a19f2a70c2bac5b4a764073cf33

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          768f718d2dc18968b98fee054eebafb6

          SHA1

          ef36404826868bf009928cf6685d41f89093ece2

          SHA256

          ba0b34b9b6ce221cc1f4d5982c95087ecfec9dce8cbea352975ea4b9a5371f4f

          SHA512

          3416c2a9dd0c9caf809a4ba2250bc6502a87f2fde43dbb789a18e3a7a9202de7360dfb229d6ec1111e348d251660fae11ccb2ae7415f6ac5138fa28fb9e0f2d7

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          df93e2d4e1a5becf412d59010b87304b

          SHA1

          c912f8f3eef09ceb215e730248d3181f25e75d51

          SHA256

          65bb6227efa27f0b97cf4623bec93ca4c58aa647ff945036ca5c292de6358ed7

          SHA512

          fdcf83bd0bc73b5935fb4d9a85227a1cdc69ccb13bbcf331f0ddb8e39e72299feb7062ed86680797df57b96026ce2f9201707e6c315ef71c372e80e026ce8b6b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          5a3c84e0b6f0584bb1d8feb3a10cc1fe

          SHA1

          912f1a245e64d158818dc632483fc761d88437e1

          SHA256

          b3d7f9a35a31ac1626cb07bb9a4b023c50fb223332e88c9dc5df19bc0e678dc1

          SHA512

          aff087a805b5726f4ecb297a09169c85474bc6ea5caf000a89db9b713400b2a190a323b2d01ec73abc7df6a14519ddc9dd4a8fc3eb18bbc38cd88f55a6bdd3b5