Analysis

  • max time kernel
    119s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:33

General

  • Target

    7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe

  • Size

    2.6MB

  • MD5

    ed3cb1d16d0b67b5b30f72731d353745

  • SHA1

    d27e62b376ac0bd8d24587fd40ffb2d0c7a25034

  • SHA256

    092d2e1ad6c85ba0bbfc8a65245cfdb155b91139c6812c5c8f4068ede8401099

  • SHA512

    b1ebfb36f3374946b91249de82c0c4d28ef303808e0561748d6af6ce45d0476e05483120921de0fdea667aa7b79ab7575f5a7ea964b592c32344f4e127747cba

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSQ:sxX7QnxrloE5dpUpfbZ

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
    "C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4724
    • C:\IntelprocHE\xbodec.exe
      C:\IntelprocHE\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3904

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocHE\xbodec.exe

          Filesize

          2.6MB

          MD5

          b84f035113695ea2e207992d89b43cf7

          SHA1

          8eba93937d8a00d1448794663c80b17f4c634054

          SHA256

          75ac8beaa6b7b1c47cbd7a1b55a20d4d8e136019d77f847dda65fc6cd57a1780

          SHA512

          f304aaf77b0e1a3caee32b1e66afb8bf3fa8df93491946500fd1bc8d3b9483e73a8a4dd5f77430892cfa5137c8c1fb6216c5249deea84be404c64ebd617bed4a

        • C:\LabZGP\dobxec.exe

          Filesize

          2.6MB

          MD5

          717162a9aef4c2b2f5d4c50a4a4e7109

          SHA1

          b3552f2fb504a87d0ea813c4e20ea81b53dd89e3

          SHA256

          04f911dd7436c73b29fb836913d83cdb526d4e2c37951c5a619a4a48362d5a9f

          SHA512

          85631f9e8ce538e1137126a6c575542d10c71070aa1539a9af6fbffe76c40549c05773c8e235c4cfffb899cc745d73e7f85550bd651d9ddceaf15e91746f8fef

        • C:\LabZGP\dobxec.exe

          Filesize

          273KB

          MD5

          edac67541e17327676c69e7ce541e5e5

          SHA1

          7489b3893cd631df40fe2c6a3d8b8c059c4daff3

          SHA256

          f41af16280d71e1bdcb9e9bf942b2c0e87f1d6aef62b6e951820870edf1fc04c

          SHA512

          4764a19827f9be3d915eff21e3f27ccdafc1e507d1ef8b277b300aaaf7265fed9ec7724aa9b9f450d914b321f62414d2209fa89f3f62e38f9a0b74c5b07b3536

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          e0d7ea5f22cf1fd389d4910d097885dd

          SHA1

          f6101e1cde674f27489aa5bf4c496e23006d149d

          SHA256

          03ed0f64e656f771fface3338dba3219199e2e452ccfaee3dc30d5e15d47deff

          SHA512

          cd4f3a7673a9384e007b52a60283b78e81eb11723c987bd8e7ff0400ff29a4fabbbc107fe6c206070ef6cafaaf7fba3b33102bb00d1be7e35639ad2873382118

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          5bdf40578ca4f1f868fcae0a48638d7e

          SHA1

          ac3f78f2c07b10d9e1a8a619160a9c1f4a1d1394

          SHA256

          455b914a8eb7447c285fc0e3af2b1f0b383c29c5bf5e561a625bcb3ee7bdb7fa

          SHA512

          08b4b00924f85e3baee9eb90d0777b48328f3f4b401617440865ba2b9aa5d3f76b3434ae8d06d573ce17a153a78cba3c9139a3e3fe809c4892c0d0e53c879026

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

          Filesize

          2.6MB

          MD5

          caca2d350e70397bad58b798f81cb241

          SHA1

          73d425f110de969682b08d7c423529f6cdff4e6c

          SHA256

          25927850d97a040e9aa4eba92daab82512d4562af360458c9d7c4241d62e09a3

          SHA512

          ac5bb5ede487e12ee2c64e20f467f98a913b879ec4ae76dffb395bac90bb3f285ebc3ce26edd884486d35ed407856a2717da5a172a5303b76361849bbeac134b