Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:29

General

  • Target

    1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe

  • Size

    4.1MB

  • MD5

    ddd71148549b197fce05d66ec84290ef

  • SHA1

    3018bf432e92a1bed6ead13c2bda44ee933de2c2

  • SHA256

    1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8

  • SHA512

    82e0812e2cd9868f241d08f0177ecd8f5fe052708cdf2637381772563b874c398854f07e255f50dc5cb518cfe07ea8d499f736240cdc5300fe428d048506626a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8b6LNXJqI20tJ:sxX7QnxrloE5dpUpgbVz8eLFczU

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
    "C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2260
    • C:\AdobeN9\xoptiec.exe
      C:\AdobeN9\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2920

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeN9\xoptiec.exe

          Filesize

          4.1MB

          MD5

          586b21e16f10308e2d00eab380060642

          SHA1

          9449a83b92afd855941105a172af7485c49979be

          SHA256

          179a56de98cd38d7732bf826e0a18694033bedda128d2e222d71c8a03bef04a4

          SHA512

          12c7c23132aecb99a84683a2cc3ab77f7832e50d8ec0a72afdc4a0ad0fdb97d9fff8ed74dac3822ef367644c6909a377da3c42d3d893e25a09cce1beb7dafcbf

        • C:\LabZJU\bodxloc.exe

          Filesize

          4.1MB

          MD5

          98dc1fa6ac7da671a48622b1e22cd088

          SHA1

          249a163cfe1f2a275e83b69dddf617baba1700c6

          SHA256

          8020869dfd8e5877605b2001fc96ed3fd8425c0b0e3b2b27d1f825959e063867

          SHA512

          d10f08bbf52080fd9dd15aca625d8a2e9bfd027c98067040107b4033c9d0869ad4606abc003abf3490cd329bd6fcca7d237a3d176c3bbc368f447eb30ce37d1e

        • C:\LabZJU\bodxloc.exe

          Filesize

          4.1MB

          MD5

          8b1bb25e11fc64b413df49a0d245bee1

          SHA1

          40abde953c5b013c6f511a922156cca4a6b74cca

          SHA256

          6c034872c13dfda6055e3d77d0322dfb35673c80649a37ece4c9819a56189ee1

          SHA512

          ac0dee0901fa161bd46af2fbe54ec468c830c1e881d303f3f3e48f43d7b7bfc2e6a86d239ec150239f0df40ff9e2cb56d4748c71a86ce429a5877787927bb3df

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          168B

          MD5

          ddb5ba669bc632dfa7b5f827f4954be4

          SHA1

          1bb887f34b93e16d98f5c6431b3ec09b7852e734

          SHA256

          7bfd413e0e77f2c42e96a3ab3cdb421c65dfe09878c91fe2099ad2437e4bbd14

          SHA512

          cd32c7659aa4cc69dbe3ec3a6bf342135dfe3f99eb0081ab26a365c693a2d2cde3f57f158d5b2a3675ac6a6b0c359387e20c3d0686eb911f5c90541b552797d6

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          200B

          MD5

          f3e8a5bb6de7e40db15f1cd4ca14aefb

          SHA1

          b25ffbf3e98cd27ad1be8ab538b57d11c88c30dd

          SHA256

          1e714c197adc2855e9948aeaea596a461fda671ce56172bdcf1751762371438e

          SHA512

          4495f51b476b8fda8ef3de89483da498ea47e37177b99132593e8cc277dba3242d71cf0c55666fed331176e6872b0e723d36cf55c075dddea6839921756a1f1f

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          4.1MB

          MD5

          532ac040b275abde224d88f3bb7ff26c

          SHA1

          fc38822d46eda8465c6f39925d3d7f754f2ae439

          SHA256

          33078cd2dfc696cb6fb1fa2338fccd0e1a77956af9c0441bbaf656bceb755b61

          SHA512

          55d9fc9c87c859df09015806bbb17356a7f34a4ce3f64fe6773e55cd5b16cfd4611abee2d32ce3b9e3425e4065ca8823a8dba6552067495945660ed326ed7e36