Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:02

General

  • Target

    fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe

  • Size

    2.6MB

  • MD5

    a954123375b68224644745c7d4caf4f9

  • SHA1

    ad91f8c88f9414ce194d49898df6286671e14eed

  • SHA256

    fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30

  • SHA512

    9a1cde7ae63c7dbecde7b5c9150ce88074cec75980ad76c266a28e610e84ecaf3bbe02ff6ef2e7217ef61fdab126b005acc68b7f686b09836ef35cee218af648

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqX:sxX7QnxrloE5dpUpIbVX

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
    "C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2752
    • C:\SysDrvL6\xbodloc.exe
      C:\SysDrvL6\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2672

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrvL6\xbodloc.exe

          Filesize

          6KB

          MD5

          0860ba7ab87e6dbf893e728aa4621778

          SHA1

          6296ec6dd59bc3b8a68b647437f788d3632c62db

          SHA256

          dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2

          SHA512

          6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef

        • C:\SysDrvL6\xbodloc.exe

          Filesize

          2.6MB

          MD5

          041dc284b91064ab8f65bbb0c896da88

          SHA1

          0d22fa16a6f47cdbd8f725b0f9e9bd434e2e1aa6

          SHA256

          fbe867e6060f0d6b7f662ac08fc3f9ecc8c982058cd99177f78075fd51fb3df4

          SHA512

          9d122fe764d412fdfb0f86c2fe734a0ffac6f6bd7160305cb67c6be27a6384bf3398bc7199c61e7f8ddc140ae5cfbd21e14c0ab3ae97195b9e265893d04c9689

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          83cc3848b71ecc575fff5e2c636801ab

          SHA1

          60fe80f1a018733f5d3c479ae010594b8b954b3c

          SHA256

          f1253ff44f4a03b2e5205cd0be12da50020a3f5b27647391d8508d7c626708c3

          SHA512

          7c19ddd9f042931979c7d0ff3adc61ac1563a1ddd43c918550d08c3acf0b5bd230d9ac605e656b9df6c68255ffc5e81e1f4a26fcdc5400a3518eeb3d75d68545

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          7d4802bc054bce832268988623554ab9

          SHA1

          f3dacdb1b1e57cd2a2ca30b8bff9077117f807b7

          SHA256

          102b4a8055ff7964fea1436e423ccfd38528e738e0af7303cecda233c977535e

          SHA512

          dbdfeb8be600dabb4032b542252858ce15375207f38c6fba67d25a0166348a22b2baf04f3c0d27c4e8e5c31c73ccd9671650862901c8ac0b2a5e75d4896cae67

        • C:\VidUE\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          aec5969d646c0bae3722930622715bd8

          SHA1

          f10127d7715ced86c08b46905ea0bdac8221a158

          SHA256

          2fee50b0289bdf20a500c87533c01f680ee7742bf20468782678d9debbdb634b

          SHA512

          3dacf03231fb3452b9e6a8258f3ea3e53566d356fac4e9df909c7263f02a30e6ec08ed53f9821b9862bc3508bedc2a6e53a9aba401ecbbdf29030f1866118f98

        • C:\VidUE\dobdevsys.exe

          Filesize

          12KB

          MD5

          5ce46de9d1c8ab23eeb8a98bb0b2232e

          SHA1

          eb2b026ffaf5a7802065fa5971c5c4495fa6763a

          SHA256

          0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

          SHA512

          173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          2.6MB

          MD5

          b3cb1b4185d70856f37547ebd63f6e24

          SHA1

          3f03a47f40997caa4ce4ff749375d271915350e6

          SHA256

          d48a016cf5780ff92b11496b518932b02600a4f9d6106877d399585f33b8e213

          SHA512

          79092c07bcd67fb3228502c46c16d5795c7397984136d27914b7380a19810c5f77e146c4373bfdb8ca917811b0ccb6e7bc5066fd8aced404fc5472a293b68a16