Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:56

General

  • Target

    47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe

  • Size

    2.6MB

  • MD5

    da11845940bba82434441431461226c3

  • SHA1

    1871690ab9f59b0ed5e6bc612daeadea82f9fd03

  • SHA256

    47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9

  • SHA512

    f077761aa3f23263b2ae31ca733a4504cadd5227202c48becebbb33b560336b48d10ad214b5a4b40cb71a5ed8155741f7af7a521cdf590d82108318409c53076

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSm:sxX7QnxrloE5dpUpeb/

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
    "C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:884
    • C:\UserDot24\xoptiec.exe
      C:\UserDot24\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2344

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZBL\bodxsys.exe

          Filesize

          2.6MB

          MD5

          8b1dc8d3e16b12f0b4c8bfdb62218b42

          SHA1

          bce372dd19dad6e28b0834e997ab07daac76335a

          SHA256

          797ea14ae1de21253a7699252a077be858d54e1f612bfff85718942d4da179f5

          SHA512

          00c5c08f04863bc02b3d3c81c87190852390d21bef5d3cfb2d07105fc77c8cd3c5ce95178157c2fd69d7bf6c2c0f676973c840529e2b5abd7f5e6eea710afa03

        • C:\LabZBL\bodxsys.exe

          Filesize

          1.9MB

          MD5

          f876acfe3e051e1249c885876e6077f0

          SHA1

          fe9e244fac08e71cd6b65495f6879ef8c4463e31

          SHA256

          df648d5bac1a602ab14c24522f4299169aaea196a92f9dcd3a957ed74a2fe0d2

          SHA512

          faaa5eca2cc3ac77e34c64971f8e756c83e667a5e019e339e55bffe71438c39ca7790017ed17787daff4375098af09e4fc7baec09fdec318d1b212bf51a4bf95

        • C:\UserDot24\xoptiec.exe

          Filesize

          2.6MB

          MD5

          402db5b943826ace50bc64bce2019240

          SHA1

          907c267e332daf406e858be23f223bb07ee5c080

          SHA256

          b70b9a851e3109843f13e07f80431e83126c11dc601c59c593ab5a9a65988e05

          SHA512

          2c951f006eeeff33eb61523f4909c964780b14dcb320c5a64a84cd1082ec81246bfdc1bda6734c7be977be6ba200165e5e7f45a1c2c7749bac563a531c426d2d

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          ae5582f55c658dad990f20bcd1b70586

          SHA1

          810650e264e46ff512480621f7717a13d5c41c8b

          SHA256

          4a922ec2e0557fd73d0b834ad3c2738dd401dde7a6a4bed545201e2d4bb3d28c

          SHA512

          12b32893e536e7c472bef9ab1f28363e397c3903338ab266f422588e20c599613ff3a92140bfa466a5d8843237f97c5dbf962ef104d95cab8b8ef975da8b486a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          a1d8f1705f5ff3095bf58ad50c3b5a44

          SHA1

          51a5074c2f36d12df8fd1b62490f0395edde2001

          SHA256

          7b94e3d217fef1dad153316cc5085dc694a57ff1320b1d9d156df7d9686b6eac

          SHA512

          eae642e1632dadaebe60d2807899ded91d5362806770b411db25191f2532a2967da85a008b6db2cd378d37eb8d844863cc985d0c0d20216e42fc2b263114f40b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          11189ace6c82c66ec43067b290ebcc91

          SHA1

          265a67983bc74d2376439b542f6cc09ba6e863ec

          SHA256

          a62afb8f2226704de890f81f8883925127eb94127698567f5b62edc4acc4fd16

          SHA512

          287e23b395ab3fbbe9c2155555aebcf3991b1dc61a3d51f32c9714b046cb4f1c5a4bee12888a725392074168870b70dc9e3884eff967980a71b3ea6df45e3887