Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:24

General

  • Target

    6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe

  • Size

    2.6MB

  • MD5

    6d95fae96a1934e6ddb07952c4ff8650

  • SHA1

    6750b89dc3d53d195b1f4b20be35f12688e3de66

  • SHA256

    6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c

  • SHA512

    dbcd23134f03e33b8331b37f8fa2b138c75bebae3e8729cf412599cdbacdc9b0fae6058b921d0e99f14c4cea29173a1936ffb960f99370e2eec45a9f7ebb0adc

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSq:sxX7QnxrloE5dpUpjbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
    "C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2952
    • C:\UserDotJE\xoptiec.exe
      C:\UserDotJE\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2500

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintIM\dobxsys.exe

          Filesize

          2.6MB

          MD5

          f020dc7e2095dc5658ba4564883c1453

          SHA1

          a06d9dabff25e6d44c78664670c1f8b3163d146f

          SHA256

          5b30be4646a2b9f6f81aa36c7dfe3661be2f3961b7e9ed39bfcc0231bc3a04f6

          SHA512

          bb09e4fcf3967ed0e6ff2df77243d949fc558154c693ed63df4c715fabdbdd62b08c3e841512b1be9cf0c192ece3ce079d1d29abe0df39315fd38aa8eef33df1

        • C:\MintIM\dobxsys.exe

          Filesize

          2.6MB

          MD5

          1a6aec8827946280048956765844777e

          SHA1

          8ce362d25645660f5be624b470247e130e31ce26

          SHA256

          7ea08cd36ddb4e7deeba31aa66ad86c2217468d6eb8d26ff853621c308697c52

          SHA512

          3cf8169b452c3fa31057204296e23cbe21792f92c47e2773969f0681fedcef2ce2930bdd631542aeab5036760842b5183eb4b0126c5699796b09c5e3b7e614c9

        • C:\UserDotJE\xoptiec.exe

          Filesize

          2.6MB

          MD5

          cd16fa8c4b01b0d485a48af1ac1aadfc

          SHA1

          a3a22135b12eb98aeb06092748c58f6ccf27ae47

          SHA256

          0708d04e6393144f128fa2e9fbde4148cc53a7a5030313b697cbbe3552e06dbc

          SHA512

          685b4b8b1099e99749cd20e4300f87921d0fdfbf313ca2c338a7918175da520cf93550ae39bab5f5cf78905165aee94a3d9f0099018451fcd74babd2132e56b8

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          80ccbf0c472ef7fdc919cb456b91923a

          SHA1

          4535910f03ab2ba6761966c025c97a7083d282aa

          SHA256

          1444215d6fb11b55d8f7cf248b19e578cd2cb727c805def619894c8bab56917b

          SHA512

          33b61c84fd7cfad0d3558a803f24ab93c970e106ed9a954045cac376978f61fb8eb7757ad7c380f3e38043848477e0787b0d686477bbc668286bf12890e69e8d

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          356c66ed7173adc9ebf03dd0d2bcc61e

          SHA1

          292f34aff19a8064652e1d720464ff55c0957a72

          SHA256

          cb0cf04ef9fdacb5097b3787cf23256b0581e172c93c22738d65cb7a77ef230d

          SHA512

          c713d633ea137a81cde284b01fc6b6481eed5215c0e2ffbedbaa5e2756e5b5c563300816dc2cafd729537a33c62a79c36591beff5b8c05c5b2490e638461ead6

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

          Filesize

          2.6MB

          MD5

          346a8d4aee7236db8c62875889aa54ab

          SHA1

          e93bcf3bc2a956094568443649382f83c4c82044

          SHA256

          8e62d6114c433f3c778a11a8c527142b664a1165887af03573fd37600710cca4

          SHA512

          f6034598ed031c92d72648eab6de3941070da5fd189c8b70590b5f89c29bb2f59d6e34ac3e7d1167135069f1a774d2888dd666b09080d68bef6f5a989f5d5929