Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:42

General

  • Target

    e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe

  • Size

    2.6MB

  • MD5

    f7c91568e0ad74851e94df6c04f44f80

  • SHA1

    ffc774105161917f47d12b6a9013ca3bc26e1f86

  • SHA256

    e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352

  • SHA512

    f8c0ea51c48762f4eb5681b0dd203b621e61d442f13f14084c5a50bff3901a3c0e4472ae88ed615b2291f47707fbbabadb3270faaff5a25ba0a8e49ed1cc0568

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpob

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
    "C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2368
    • C:\IntelprocKT\xdobec.exe
      C:\IntelprocKT\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocKT\xdobec.exe

    Filesize

    2.6MB

    MD5

    b7a0938561c03f53dd6693a80e33a2d8

    SHA1

    61e07d0a3cc14ff558a41d8ca22673d1649816f3

    SHA256

    8e351def9669cccd284061eeb3d786846edf17f12f0b0e98de153feee47ba113

    SHA512

    0ee2e50cfb075c5f33cdfdd74418ed4cc6beb7c51f56562ccc52bfa588f92ceb3e5f4e58cc63321180b11005b19b14a85092b21b2ba0bc23baab47c71dc43974

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    06f370af9732cf665d6651dd6ce5335b

    SHA1

    7568d18c536f61f43f605c68d4b507e16653a50d

    SHA256

    0be0d0e1cb370e91241c36d888f54dd3b904835fdb468ff059dc700cb278b7bb

    SHA512

    0fc39da54e812487b65df904d850aa936773d9dec00677b23ad533538e582cec7b46762eb2fc44928982b82548e7c769b513e2c4bf08fc824b62ae15a8e9262e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    ee0d2f62646a71604426b21aef165618

    SHA1

    e2824c3e249f0a84d7426f7e223b5e858270a1d2

    SHA256

    490214d5c66986af042293eb9e8cc518a1b8a8097b9e529e14262082ae9a20cb

    SHA512

    f5c1d26193adbf42d0f066f743a9dc5460c3826103f2773bc2343e7692e12c81b24c2c727e22ca8e6ae7fbcff7afecf370ab2f23e59ce4de2fa402e0ed340baf

  • C:\VidQZ\boddevloc.exe

    Filesize

    2.6MB

    MD5

    34dacd3f975c6150bad652a7c69a80fa

    SHA1

    6009e79836ef7e2f74037f8653f8b990c4f92ff0

    SHA256

    225352dcacd2f2bbf965e25a4c70fc6229f04a91ebd2cd6d58d6a639d045030b

    SHA512

    c190f5a47d0e87f9f2c9c153a99f28a438faeacee32ef2ff754285c00893508109bc2e8abbb7479f3a85c4ff3c4512bea7762d2dc7119620f5683bc8a5a6abb4

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    c74f6be92edbdad4ca265931f65a1a14

    SHA1

    32fc28f18362c0a09607afc42730477f98f96682

    SHA256

    cbb8e1bf8d9d17fb89d843d69bb619bea2267c1c31d377ebdb7204139fc13387

    SHA512

    44ec3dd45ce3a8bac8ab5eee9de6f3f161d880f5472249e0f0056a9c3f4b464c3f1069f74a6fb02f7226b8601c829fd8a0f1e65f3afa5bcd6a5ae634c2242250