Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:00

General

  • Target

    43003b2252701a40d38f131a452391339fe14771b00a810312cd98150a951e14N.exe

  • Size

    2.6MB

  • MD5

    2d26cb2a559108a5c47694f74d520790

  • SHA1

    c4a5f881d83ba18e2b482481cfb2da0006219348

  • SHA256

    43003b2252701a40d38f131a452391339fe14771b00a810312cd98150a951e14

  • SHA512

    d74d2175b4640a9b5f495c7a72561cf5bee610162797b5a52b3e2f516de8ff1d48328683ecba0408721fdc3b83493ef790400f2994e47277c766d6b3ef2e7b29

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpQb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43003b2252701a40d38f131a452391339fe14771b00a810312cd98150a951e14N.exe
    "C:\Users\Admin\AppData\Local\Temp\43003b2252701a40d38f131a452391339fe14771b00a810312cd98150a951e14N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2816
    • C:\Files2I\xoptisys.exe
      C:\Files2I\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files2I\xoptisys.exe

    Filesize

    2.6MB

    MD5

    a0a98bb9304b67c96467a709e36fc77f

    SHA1

    5371d620ffb883a234ea928036ef4176d873d356

    SHA256

    d6081a72c79d40e45f3397ec550f5658d73f97957dcb225468711a177d08d80b

    SHA512

    993a27ec142f3d827afd42149ddecd2c8e28eb72af7145f30686e2c6a02cc8d7a0a5e14a3169b3e1a8d915a46cfc89213eb53da88e4eb22477e99e0a510f2ec9

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    4cac32d776425653332ff99ef24a4e12

    SHA1

    a8df5b89162984fa68dba14818c194002eb73f2e

    SHA256

    79d69d68807fd057385dd4146ea3f7e0b79260af0c4719e11d456d20c449fabd

    SHA512

    53a12a95d3b76106cc553479fa3f26aa50efb616834082c079d96ad1c9a79d69831484d9c08b2305d9a2fcce7555a5930a5862afb1e07a93ebd919a3bd8a95ab

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    7f10ebe3e31cbfd68cdda1bc204adcea

    SHA1

    ca0c89b67d120dab1aa3e87b39814e1ca45da08b

    SHA256

    65a6b7689897a328b152bbc77339048328d6bbaab90c2eac93ced9a22771a4b6

    SHA512

    270881e73d31eb13197d92abc926ce109e57ee30510e18ffa2c816f33476b9836f2f53c749eabab456328d0cfed020664094e237107d68dfba9ed93da4042d47

  • C:\VidBC\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    eebec29bc024c59a9e0b86a89985de28

    SHA1

    0ea1c6f81f1503d1595186631778acfdb93fdad2

    SHA256

    01d20d94942821e18b7fa61d2982eda0b4bbf230c906c07584db8f942772ed7c

    SHA512

    ac3ef0045e90be57d6f13b35510567dc0f529585eeadadf19201182d205872469d0a0b077797533d289588ddad7397aba51ebf00a97cd254d1b8ec85190fb1b3

  • C:\VidBC\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    df5298d42acdf403ace7edd05cf3b949

    SHA1

    3ccecaceff02480f0fa7d46f15f5de2ca1944d79

    SHA256

    6d7fc0373cfb114bc74b3d727d6ec4198dd97a51fff46c87e7ece114bf3b74f4

    SHA512

    39984e6e926f15e5a24e4f23d7c1081ea4531e8fe0630b0a869a00d92431b9ca063580321085d5d5b3efa3d3ab920333cd532c83e24297a5908b0efd026b51d7

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    a809e68a0e54621481b294441d9b6e01

    SHA1

    b77ba6a0594881ca662982c70ae3683574f48493

    SHA256

    aa1e8d7756526b7487373af4d29213199fc083f553d80bf56cda5e0aa36331a2

    SHA512

    6db37f60cb5f4da31ea0643450d8c92d0e5fa302abaf34a42665dc8d4f79f2d4eb6ffc964d969ee071760dd8caa6f7d122966e1f29ee2b5a26d44896e05db303