Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 22:57

General

  • Target

    dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe

  • Size

    2.6MB

  • MD5

    87728a415246cf1e3538fe76b2acf843

  • SHA1

    3bce8a71a9c0718c9d3a044457ea55f8b3419bb4

  • SHA256

    5176155f86655f989e23071d0faf656ee8d09890c0b52771cfff45dc93053a85

  • SHA512

    39eb8df8e93f475534011eac272fb0a36909bd080b7d2db9ac04a0bb8fdf152117fc7a63c67400fc3bb5ef731be66f798f1822bddbb3ebdbf6b0fa2614a3d41d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSo:sxX7QnxrloE5dpUp0bT

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
    "C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2208
    • C:\UserDotMD\xbodsys.exe
      C:\UserDotMD\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2276

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\UserDotMD\xbodsys.exe

          Filesize

          2.6MB

          MD5

          5d6235788b46a9dee1986c1bb914ceb7

          SHA1

          5cacbe494f799d5568fac60050410e7967dd47ef

          SHA256

          caf390032316c251e7ae458b55349a876a2c9d24e706b1c54c9bde2f225b744a

          SHA512

          d02dff41b497ccd2a950baf208370d40320b920c15a81bd284f0d4167b7c73414c6e7efef2bf698b402e7864901d933bb6366b99894e384f05de656d55ce74c7

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          33e2ca8d6abce706be89ac75563e4559

          SHA1

          7ee1a2eb366a3514f7bf851befe031aeb99d4e13

          SHA256

          02531be458aa3443e2b1c6c532a4656a8077c5e70bd8df1d9087b4d8a40c2566

          SHA512

          890bd151a749477b6f353e7f709b6984b97fb397684dd117e4788d5ae2cc30fba86a4803d960410b9db10f8eaa7343c78ffec5c65679424ea05cd4443d3c1526

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          02cca08b61899ca1cabd9ee507ed9759

          SHA1

          087617c854574d4496a105c3a8bb424db3835b2a

          SHA256

          7f87bd4e7c4a30bd0c51a1c8debb4c312d1f3c259a5086418bba08dc51c325c0

          SHA512

          7fe92a35d73b927b2b7a1cb36fac78ead7e54f7cb019b1b30fe6d0cf20e86afa16da83364398712137f19929c07e3371511b13a06fd56e5acfaf21022a9993cf

        • C:\Vid0V\optixloc.exe

          Filesize

          2.6MB

          MD5

          2a32e378fb6b8725b7e720353b740465

          SHA1

          9d6cda576a0121827017718ad74516497b538f93

          SHA256

          3c64e8a27955021f9fbd4dc00270fd6ab490d03422ca91995674a7440a767274

          SHA512

          aad8a32a99580541556eb61775693a0099156dc65a32794ffb65769c4e1631c7f3524cc86a5b260b1cab8ea6626cf75e6e6772ce647318b1795fab95c6d3b3b9

        • C:\Vid0V\optixloc.exe

          Filesize

          2.6MB

          MD5

          aea195f125cb1ffbdb6fa52bf4899825

          SHA1

          6c6cbe889de925c6e52125e079859d32d7bb0d88

          SHA256

          d79a627e9224a256402bec615f93c5bc1079647505b5e09ab4fbe6b1076f4a92

          SHA512

          194053527370f4d21943e58c07c7da2cc8f378405060f6a148d6fd86c094d20f6b42403ada185a47e7658b0da8f73741c32b70440fb8d5c7d8a4e42e7fa3a415

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          ad4b324e659e4dc64963ce1d32bdca53

          SHA1

          83d67b82511aed7dda30c174322ac0138fb40b2c

          SHA256

          5cdb35bc46e0890602b6e2cb181955909e6bc621f6b0cf9484fadb1f7998a849

          SHA512

          562920c8b96e54a5e2957b11615b89d1fe46ef774eddfec459255ab0996cda4a375e7d5a904d2d7a252c6baaeacf615c610c97b4f90da4239219573f34c59862