Analysis

  • max time kernel
    120s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:41

General

  • Target

    20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe

  • Size

    2.6MB

  • MD5

    8598554f88f28f57e507eec02adce7fa

  • SHA1

    258703846b37011b1330d221be6840b41f5543d3

  • SHA256

    20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133

  • SHA512

    34648e1beeb3f35c1f2d5e9babd20c9773c2ccb735b859270876414bb2f9d76a24231110f4b16a176ac46b90b6f73b781144f1d01783934c1e8b1762267974ff

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS9:sxX7QnxrloE5dpUpybo

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
    "C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1256
    • C:\UserDotP0\xbodloc.exe
      C:\UserDotP0\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2160

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint7A\dobxloc.exe

          Filesize

          2.6MB

          MD5

          a2c0caaa5b129da4f968d16f962c0589

          SHA1

          bd353320647d85913d9cebdb39b74b066388fdc3

          SHA256

          6b405633b6dadbf8a54d436db04e42d649ab0ad8088bf6180e4fe6c8d2ce716c

          SHA512

          5b792f59b19e4aaa22ceb7ad3d1405d2f6b3a84adae7c83642f9a460ab7e2e19c51cfc2436fcd1e58cc40a2e980e0b0454ac80d439519ee11ae65d7ab3c907ff

        • C:\Mint7A\dobxloc.exe

          Filesize

          2.6MB

          MD5

          f68b5f1fe21a2b852b1d1bb635530d81

          SHA1

          c13cf7b29510bf497e39295d03353403e8c2e174

          SHA256

          cc43a09e68a94611eb3922886184bd45b08bac44632be6dda5acc12bfb0fc5f3

          SHA512

          4eaf26062908ebdb36f8a25bcece5428de1fd5f27402ad787522da7a4c4b111cb420a6558e3719888fd3524fe3f290179a8e87592e0ab60ec335379ffa079574

        • C:\UserDotP0\xbodloc.exe

          Filesize

          2.6MB

          MD5

          5c7937a92ae3b13e253aa5ea1b97983a

          SHA1

          f83087cf5ea6c2e7ac0a7b72f22acea2ea70fa89

          SHA256

          4ad37e2a2f4d49206200ba2db4d686bbceb2cf5fd14fea44e39e2c69905bf9ba

          SHA512

          b2f83082806471caae55d4b5fc1ae1404901c40460c1a4207232b762baf080dd7473c677f0036f08e84fb53774e2359dc4a6b29a695aeb22f6d8abcb6075fa65

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          e43e5b50d75495f8e5e54434f109ec91

          SHA1

          998b92b0539e3ef765f3dc693c0e53b4c3fb886a

          SHA256

          109261c823c5d609c3a90b576b7bbe1e0c4587db5dd05d4462dc0658bf49984f

          SHA512

          f806867e57b1c60eaa6eb09adfe0f0e9e772672d9b1a536384b739f31a23b91d79f2b30a18145893c3d4884c874ed0cdae0d6dd33f5ead1e2668c40b8880d5c5

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          7c58c48f4fefff24ed23e6e76d57edfb

          SHA1

          a3bddd073b8b456e247cb1fc8d317d3e7e79597b

          SHA256

          735f4f8a324066a6f1c731a019ed984ccfa8d5ff6ece333922fd36f22f050823

          SHA512

          c731264bba3defafd20046df0505789900493f677e69c3477d7a13c46ae704120005839161b178497dfd98c041e939d5cc71fab4cc76c949b17af31dae8b6b11

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          cd13f5df74f007a109572f80623d8863

          SHA1

          2d789f296405a397de63f439036da74d13815b42

          SHA256

          260f5f5acebec94d70825c06dc68b1f08446bd5358fc08ae5a8c41de30b5a5dc

          SHA512

          bd88288fc3b8a55f129dff00bfadac23ae413a1b827c9e132029fbd622120bd9e0025048d0d7c1ba596b1ea4fdb811e5f94585ba5d76f9445c43cc492095f5e9