Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:38

General

  • Target

    71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe

  • Size

    2.6MB

  • MD5

    7b919496c5c7313e14132f0f81ad2830

  • SHA1

    89071682b1c40fad2fc93e56ab79a90707152c79

  • SHA256

    71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76

  • SHA512

    d5a4109ba24d3847dc8b07dc58afe3c3414df9e83ab27633ef3c0fb0ef5f38c8f6c901f83033394e12fe8071644162ba7db8b038d8f6d54a54fcf10cd485f0d3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUphbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
    "C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2420
    • C:\IntelprocW2\xoptiec.exe
      C:\IntelprocW2\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4552

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocW2\xoptiec.exe

          Filesize

          2.6MB

          MD5

          f4e89a8c5dafd38705cf1003d467ceac

          SHA1

          488e5e729369980da30f6fb4f9b7abf8d62f9e67

          SHA256

          13f2c31e0c3f3a3214824360bb8e0afefa5d52aaef30ca959cd5cfc174ea311d

          SHA512

          050152a36fee7fdef1b6b6d17915b41abb817fd4477dad0f4662603370a03bdc4863aa2b55a8580f32e7008f3fa63cb4ec54fe94049758aaee7fd3a1a6b11cf3

        • C:\KaVBE3\dobasys.exe

          Filesize

          64KB

          MD5

          ef5e2c0a10a0c476399752793307c66d

          SHA1

          ca0ec1078bc1cdc291089a6e3da8956ae39575b0

          SHA256

          a406994fc3942ae3c0e08cefc8ed56487ef52092d68cc1d6906058630c91fb4a

          SHA512

          d024de1f0de4779bdbcc760240beb617d171b6c0c26ab571855df697530ac741253ee01b1a78ce55b057f1a6be8f0dbcbcc5b9d0b3c50a17c43575a229cb025b

        • C:\KaVBE3\dobasys.exe

          Filesize

          2.6MB

          MD5

          88bc026ea133367d667040a0e1a65653

          SHA1

          42957668ee60a878f2d637bda35c5512c30557f0

          SHA256

          290cdc3fd3458f95b3361950db53f54b3c2b8ee25738eadfb4040eec0c825d10

          SHA512

          aa765a31319604edba9c1c533037066ff86459f380471ab78306687f48e851ffa8caaaf84e43aed96c3dbb4c1a9a7e500bac0c8b87cdedfcb4b564df1dce2ade

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          36e2047d39ca005d49da809e2d9f4d25

          SHA1

          2ad600cdf442f48ab02493b2aaae463246665a48

          SHA256

          60f9f321509afdfe5e73acfa4e6dd1af33b775c7d2f7df147feb84a14a150183

          SHA512

          98d95ffee14a7ea3dd0d35d53025b52fd657787880e70bfc41ce28d2b8fb796f043b4657f264a1787af57c36a5b50d0fbb8ad58372a7546fbe1d766dd5a1560d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          aee34f829e3a69bccd1132cab5efa56c

          SHA1

          8ef42fa41625a4600e856053a07b83c98545a8f6

          SHA256

          d2c85259c7718c3593401a9780fdf5c9bb443b19eecf9d0e0607bf92705eb223

          SHA512

          349e629531c4bcb393c3195963d142e1a9131f01316d10d5e50bcec96707bba9c810f47b6e1059066f321368e298529d71335294e296e1254bbb2b8c7ae26375

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

          Filesize

          2.6MB

          MD5

          06e3e6fd614d5926484e07f2f4a323d3

          SHA1

          dbc17212bed2c2f5b9d2321091b9921b98742b34

          SHA256

          2b494f7a1335169768abfd311e3729ae7d9235ba66f31cb2238f1150c136ab84

          SHA512

          b660efc0f87524a378218b7a60b4a89e589b124cede2fe1df16bc3ee5b188856f9e06695e4eb14265b8520ba45956c5df1d2dad5348eafeb6bd267037abee3b5