Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:49

General

  • Target

    04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe

  • Size

    2.6MB

  • MD5

    5961d71e56aff2077db69081b8c39790

  • SHA1

    72ea7877fb7c7d8ce6ddfbeb6b069db882b6371e

  • SHA256

    04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96

  • SHA512

    409b08609094b4522e1bf8ec98b153f2e760a0094413745b54a40b09f632d9a4050467f5748547d79b6d8a8bdec1d32ffc3dd99da7fb2620e36988867d658a8b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSi:sxX7QnxrloE5dpUpZbF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe
    "C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2928
    • C:\IntelprocET\xdobsys.exe
      C:\IntelprocET\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocET\xdobsys.exe

    Filesize

    2.6MB

    MD5

    8e21a7330817d440633a83e76002c67d

    SHA1

    a124d9500f902bbb0a5ef5c465d532ae642333d8

    SHA256

    f41964f777ebb70643ff2183cd208d5d4ae364621caadd9631d0fdf9d250ead7

    SHA512

    f032285ad9bdf6eb78cc5df7ac795b9f27dfe07473246ade5e5983d5cd02af19d7a203c6521b99952a85055603d7ad48845559c53253fb777f8de013d528b788

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    f91b2dca6439425c2cbc210698b9c449

    SHA1

    e3877ec3a070b4dd248b49dbd05af3f3a2e09016

    SHA256

    a3b57dff8a8be34716fecd03099d8af0eb3cb68ff07a414fd8fdce502a75abce

    SHA512

    2af1deba4116333443e2575428dd001dfefde2e80d53f3918cacf4f319e321b91f612a3ad0f13a1906459f0603997f21e203beefe8ab79e4b6e778269cbf7e5c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    e75f2b5c4bbf0ec2dc65177cbd0e7591

    SHA1

    539533ad6606ec281eb7ae2a1ed7409d05fcb668

    SHA256

    2eaa548b8599e7b31f6d6ac22f3907df3aa681142cb2e96a21dcf257e9488f3c

    SHA512

    13491af895687aa18be519a9ac004bc0ab842879d295c5221beaf05f4fc9eead531c555e517dd7dcc955098793678b3d8dac130bd0a61750624caca9fcdccd97

  • C:\Vid0V\dobxec.exe

    Filesize

    2.6MB

    MD5

    a3300ee6b9cc72a8cc2ab5fcab44ee0f

    SHA1

    4ac76e0765e3331d871860d93d63b9d7b75137e2

    SHA256

    4858e5713b5eb4d70f6c3c02ecc979254199a19f2cc2189cd700f41bd7ef5794

    SHA512

    f28c91719702d051db613a55dadafd5e5d760f950a100a0b382bf52ad16653894e3faef34e881e9f1d20ab6fdee4e9666bec28c7b3620e4195a2db9f1a2b9e33

  • C:\Vid0V\dobxec.exe

    Filesize

    2.6MB

    MD5

    840c6c13dec0f435f4628033af428dbb

    SHA1

    911f8e100309dc5d06ce1e8f68ffbc2aa3c8b420

    SHA256

    c46db80b55940b27b22e8905fa444af023c346304a2c349fd982d4442a398ad0

    SHA512

    25b4e65757aa4cd937bceb9856c43fe8d82d0af9fc220e3f90a1a74d3629206e0f189c6c417eb2a78b294f61f7e8ceee589a99c7c8eb619d437bffe79f95c157

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    b1db69d95ced41c4ba44fce35a0c64f9

    SHA1

    7297cdac307f5158b04b77b74c08edf19e1133b1

    SHA256

    229efee2382eda0d70444ce800fba135f5a97590273490e93b70df7d6af15412

    SHA512

    7a9ddbcdd9ad479a8f15fc4a75281257ac07a6c5df03da1dbab6a7eb2cdcc46c559c6b2e507c76c326ad24eab9a95c22fdfa5c8d47fafe13033cd97b6e16c30b