Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:49

General

  • Target

    88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe

  • Size

    2.6MB

  • MD5

    c43d5f34536775004db54a33cfd82f6c

  • SHA1

    f2aa967ee3bfe10a7568bf653ba0f5d5cd3c9466

  • SHA256

    88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8

  • SHA512

    0a7ba5f9cc094d03f531383809ca9bd77ca1402846d352cf62ec7ef1f5b0bcef664f2b02acfc025183a3fa9b099f1628893ea8b6964f7ba5e5c2e4623ba3c375

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS2:sxX7QnxrloE5dpUpDbf

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
    "C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2736
    • C:\AdobeCE\devoptiloc.exe
      C:\AdobeCE\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2888

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeCE\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          5224dced10ca195c0c1f5d2f3f097354

          SHA1

          ef6c4fe0d93bf6cb737b53a7784442d4621a032c

          SHA256

          488a002372c907ca582f353b130d7c72b22f55cf96a5b44ef4d7d2c0607e5162

          SHA512

          4cbc1ed2a50e1d3d34a70b033e3e3c689ffb57bb030f1a8d0c974da3543d7aaf42672cc66e7c1347541a3741568901c83314281ef5e98b9217a67fac39026741

        • C:\MintUY\dobaloc.exe

          Filesize

          2.6MB

          MD5

          2769c24dd0c2f540e4ff534fe89daf33

          SHA1

          faa13070d33a61e578f2092432a6bb288af60723

          SHA256

          51b977011134bf5e69ac85a9e8b52eab905390d339d0cc8af1b25df5a3e8eab6

          SHA512

          44b5f01bcaaec6aa12710e7f8d08f705e727d79e3c3820e5ddfda72b22e07458513dae61074953d3b65712a35a0639f38c31130c30ef2fa5268bd9eb0806522a

        • C:\MintUY\dobaloc.exe

          Filesize

          81KB

          MD5

          23057168dfc154d1ad9a3e5fbcbd9d0f

          SHA1

          7e6f6a46a229a5fb7b527dfe0d27225b987c97c7

          SHA256

          aab2d129940037b5d66cd3096783c7c7f11656107c892dfeec303da725c587e1

          SHA512

          c806b15061f5d63723bfad2915850ad90032e8793c4d50d25e5c4c6bde90a41b6c5198c711abafbfc491233686f013b8eccf7921cb711b3e61dc4831278f3ab0

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          bf93c5ccfc127d9f88bc36c78e039e00

          SHA1

          4706de13ceabf412b1e718d183427be6ebdf0275

          SHA256

          e29a7f2d0f249a6ec13b79930077a15de79c633b0b61282926525eb45d2e46e1

          SHA512

          70d91e684561199ccfd0bd0ee7a151ef4ea2c6155ada5ed885a9724419891dc5d2a225c861cbafd0d786f5acf202982c39e40a9e5e33536890eebf2c61ef064f

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          14fc9dfd6a4eff5eaa5c89d430af3be2

          SHA1

          36a1b692f3ee139d2738a219424cbeac6c22bc6a

          SHA256

          57387e72d27fb500f9eb8ee398e5e62e2464976f8cb1a2c8746e9412cada0abd

          SHA512

          9dca8cce7d58e165470a8e091a8c9986c49120a7c1a370d7a2112275e04e3fe95b5863a77515d78982ff6b42cbefafc32d38ae66ac15597ed641f8dae57b6ccb

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

          Filesize

          2.6MB

          MD5

          258d1995cad8073eb5ea858cbbfba193

          SHA1

          45c4a7ab456c4dfa5ece696dd542bb011078f312

          SHA256

          79a140f3c8036c231f0f0c42df119b262c77ee67682cdb2ee1913adf0dc1a442

          SHA512

          890cc6a264d6506cee3ade18ff5456e5f6419f1bf1c5cb9e3d97fd079dcfd72f4c03f675dbdd8b6e12d330839c079d5e217debbca2881eab0ff29f1db52dae1e