Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:51

General

  • Target

    d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe

  • Size

    2.6MB

  • MD5

    f39e661293c6eb02e1ecfe75608533cc

  • SHA1

    b3ed1e1afdc8d065fdec6be89fd2de7ffb865377

  • SHA256

    d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa

  • SHA512

    c69121d43574de34b9babfabaf6ae3eeba9b62b54f216cea56ae9a1c318c14e9fe71affac306061ab6dd319e10b3bc371a5848a92a32b50097ca6c9947da0a7b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSy:sxX7QnxrloE5dpUpKb1

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
    "C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2744
    • C:\FilesMB\xbodsys.exe
      C:\FilesMB\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesMB\xbodsys.exe

    Filesize

    5KB

    MD5

    35d5f2180b8da2eaecad0679e66dc251

    SHA1

    3e782e20becd6567750bacb04faafd148aadac06

    SHA256

    2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

    SHA512

    15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

  • C:\LabZFZ\optiasys.exe

    Filesize

    544KB

    MD5

    aba5f0f333201565c2c429be92716b14

    SHA1

    b60fbae703c10e223dda9e6c284d126e3ca51d2c

    SHA256

    c8f1affcbf78049e87681848a12345417a186ca92b1a804672fff75df9b2e268

    SHA512

    4f923dc2a20bc6eaea77a056694516c685422ff794397d93f968b7ec02ee43eb4dec4b606e988d323aca5913342ecaf08fde40e0aa7bf94d8b828b02a4846c52

  • C:\LabZFZ\optiasys.exe

    Filesize

    9KB

    MD5

    61b773990ee27e9e908970e63b267f79

    SHA1

    522f4b8bd8207fe759634142fdb72607b71380f4

    SHA256

    8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d

    SHA512

    6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    5bf8c635793da44279bc869fcdc09200

    SHA1

    e4cb5e5b0192218e986679ef6fd62e50c6b2d24e

    SHA256

    6453fdc8718d92fc01c84099b536387f7afc91641bc46464cd44970b477c7982

    SHA512

    62ffd842fa03cc1fbe0b67645da132d17cb131dd415b8bb1eb7e5e481d96d6b884da9c6294cb536a6f2c00ce3fd71ded8e00622c12fbdc4354384be6846cf922

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    ffba3267a1c07a318d35b69a51637dda

    SHA1

    bbde65a99a8e7d1060690589ea01a7c025d5d808

    SHA256

    4309bd60b6ecd6f4e51c94d9997a9998bb7eae89b1a641d6813ae760dd5e4ba7

    SHA512

    3e3b8ece8f2f3d36eae48d65b3afc4a0368794e255266a3bf368f5af601ba3e731791ab7517a249326ea4e409e59ff2fe152fd185fa988a9fc9e99706d5b8578

  • \FilesMB\xbodsys.exe

    Filesize

    2.6MB

    MD5

    908f94b9fcd7d9e50922ffcbbb8f1063

    SHA1

    50202d53abda9dedb5f886625328345fe8b5d69f

    SHA256

    27f15496582653257d53efee3cf499e4201791895674636719efd847297c9ea0

    SHA512

    b8173a941d78f899cfaeaa0e948469d7dc64b529539eafa5680332ca91fd78750486e139b7b017936316c9b463e008627b85b5d31d0c47d3febfaa9055ea05bc

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

    Filesize

    2.6MB

    MD5

    ec8a9e7a3ee232f2def62ead2aaa0061

    SHA1

    7cc86174c45d28da4582c3533a2793a57551b527

    SHA256

    81ad83d48c549b48abe065fe2949536bbff32e06ff57502f02ddf18c6e846818

    SHA512

    bd1acb4c1c3d10aff30a7f9b1bcfc5873f0937a5b5d75ff1541606995f26c5b295f47976643a2a8a3005a39ecb17d40fcbb59c3e5285f3093e8501df86a3f8be