Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:30

General

  • Target

    8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe

  • Size

    2.6MB

  • MD5

    d2403f45884e0fde9b26de7e4bd1c3a0

  • SHA1

    5a6c9b8dc6a3f9e98d0a6680769d17854782bde3

  • SHA256

    8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141

  • SHA512

    bcc057d3047b35f3804727f51c84e7dfef6573f9c0dc85c77fca03ee6859ba5d15553021541cfdbe2c089bc7b22587466ebbf7455dc3e671b14b9fa69853735f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
    "C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2076
    • C:\Files7I\xoptiec.exe
      C:\Files7I\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2352

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files7I\xoptiec.exe

          Filesize

          2.6MB

          MD5

          96d71bc48f63357d6519d94ad8f617bd

          SHA1

          c1c8e9e2fd51f3a8ebbf71295a817d8eb6dff6dd

          SHA256

          212fa4d62d24dbf07a9bd6fa554eba9a4f221c4c8ea9bc0addf153449e69944f

          SHA512

          e7fe1b7e8a4ba639a5acdea473b0c9d8faf13edb359f17fc53ce9415f4513a94165708e2970626061aa068efa3f224d401a2c4b0c7bb0044d4df09325a867cca

        • C:\LabZZ9\bodaloc.exe

          Filesize

          2.6MB

          MD5

          4f3fd7970df59ce9914903829e83a7bc

          SHA1

          7725d9bf00bb80c5e8885e70d5b37bcb182478a4

          SHA256

          30763c9a1e8ead3d04ffb2b2880c6ec8e3409fd0c7647148472369afb535f2df

          SHA512

          db0d0d90ea347c06a8cedee62a3627529b2da1402b9d3ae19def6a82852f1cce4bc4c43a189eeef92a8ddb0c59f1ee7c9dec228f77e3e174c6d0559ef56ee5b7

        • C:\LabZZ9\bodaloc.exe

          Filesize

          2.6MB

          MD5

          e913180edd070e473406dbb8fe884be0

          SHA1

          a6ff350f7aebfea851b7107f87c4ab74f9d4eb1d

          SHA256

          27a6405f50f9d82ad5fa873ed0feb79f0bc2cca02823768596793992f37963b9

          SHA512

          17372db9b72a38beaac15c8dd9f9ff4704195ce1ff86eb24d1b489c121d4c4bb1235fc57d15c8ef55c127031ec0419f0bc890232ad28679c2870bb0d15367f50

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          3270e4295a4849f3b480a79f0d72de87

          SHA1

          a44e7e0a448e71290ab888958e7a5f261841e128

          SHA256

          63694d73739f549bf123d27bdfb735ff24dd49a66275c032883b809110102379

          SHA512

          fe672691957fc51c949ebc43d77c787fa42f5a5a3c800f84337ec7fa3dae47a0aefd093d7b6dccc04410d9df3370faba7d27076ba63b4feab7d9fa871a810a56

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          8cc4a4fefbb5813737f2023bb3d7629e

          SHA1

          4467cd95d21badbea58b7ab8ed24c2048373a9f5

          SHA256

          e6ec685e546fe09bfec690358a2d280d6f750aebb9e6b1faa65e39ce77533bfe

          SHA512

          5ca98ecdbed8f3335e35b5a11ac81a918123f1a98b3e342e4d3af3d33bbabbb2f4a23c6f7c28e16c364d711624f633c5ee862b512091a74776516dbf3763a2dd

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          884258164a96dd50fcaee578b8b8cb66

          SHA1

          d3f166f55c6341b10dceed7308c87c756ee82cc3

          SHA256

          96ccf2a9fae99b4c00a5a8b0adbc41dfbf8089de278a6ede5da8e26293c66172

          SHA512

          b4ea22cc0a9a7ac34ebb47b466c08d9c5f357d2c65c604529d4dc02b0d6350eef7c2531987cd4febe9c90a6980c0a69c81e2b3e497ded4202d4626cbf5b17781