Analysis

  • max time kernel
    119s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:02

General

  • Target

    61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe

  • Size

    2.6MB

  • MD5

    aac09bdd2392a2bd5b0f983971740f48

  • SHA1

    7cff1a49e05e3f288540556e3def7d836973b3dd

  • SHA256

    61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721

  • SHA512

    d4007105435f1d06de9ef1f5f3333f8375a73f88dbd2ee60582a296786334916b85aa9d31cc7ef0a5be571ca4f3b75ef3b1c9229cd9f56ba22ab95aa5cf79fc4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSy:sxX7QnxrloE5dpUpsb1

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe
    "C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1908
    • C:\Adobe3C\xdobsys.exe
      C:\Adobe3C\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe3C\xdobsys.exe

    Filesize

    55KB

    MD5

    2993743e97101bcc2692d14a9df3b0ac

    SHA1

    6dfadb8e5770f049f1ff6bf105439012ad76cb42

    SHA256

    57805ba6bb90791255d15d49daf1b3641772b7d4d19babdc1e0bee563385c1be

    SHA512

    2b18954105ebf5fa991b2844f7a09bc867b44441c8cabb386ce9a7474d28f0d9f3fa4ff09aea02d6bb96a5da288480a1f05a138e5c4c32b18a96c6a810645dea

  • C:\Adobe3C\xdobsys.exe

    Filesize

    2.6MB

    MD5

    686d01bc1fa8e85df198030cc4d4b461

    SHA1

    6f50cd93019259b028d37524e0f632706f7dce5d

    SHA256

    3b8153f09a41e15f81b89c963fa8f0ca96ac19ad6081ecd1c8bb0fdb40a2b9ff

    SHA512

    d14355d7e1e25cc66719d0c8c503cc510ed666c30dfebfc2d5d0f35c827504e1e7545b9de09708d6010891a94996bde4ddd18b941071a563cdfc8dd024403cf7

  • C:\LabZRA\dobaec.exe

    Filesize

    212KB

    MD5

    312ac801da99bd2f9040a19a077f69f5

    SHA1

    575cae10b4a905ee4a07f2ced1198513d56afb75

    SHA256

    e2e92a74dd30766f9efd9436c4f531fbd18521a2ba827df313428169cba731fa

    SHA512

    5465519163220070a61f32824852ab8ae5ab84367afb95b78538d19b03720409c82833d08e1012a6b6a5a71f0222a256f59c3f761555d7770eaac26111c756e2

  • C:\LabZRA\dobaec.exe

    Filesize

    723KB

    MD5

    fdd2527e3688aab6c6b1e76c7de10c73

    SHA1

    8f94b17fd6aee482fc863022984501c8acfe255d

    SHA256

    2977ee280cdd347385da19d1a3a571b6818e0ca471a2d2f65051427be2bb4853

    SHA512

    bc086b179f2f15033524edfeac1d02843818a4635492f8bca9005efa044ce50ae6ebab7de04275244568161b912295058d630c926c3615559f95186f5457db67

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    9b9f1c265392b1e48922f3ba5c5f7cf2

    SHA1

    70c3e76134ba0a7283efeb45fdbfd64c12e27a68

    SHA256

    b23a2c057038e804b2467302cccb5c6154efd7d44a5f9a41996d07c86d0a8bc3

    SHA512

    4c05cb6cb212aff4287efb01b8d1bcaa86ddc4720c787fd7593931f82ecdecf8609dc61eb96f61a42421e32508f8a0b5108266adb46e9732532862dc31f65cd8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    ffc0d1cd4946c34dcc17614e4d2ea031

    SHA1

    79352c77ef6bf8c2da257c9b3d9dcb66a3ece370

    SHA256

    071732c6e8dac28221c7fcb8143c088b04ad6134101138c066bd30d1eb53237c

    SHA512

    b2a06dfb5e1e4fb617c188ac572cde0b71a9757d28fa042177014b51c217973e430fe308c60b40595181559ee6924a15fe51f9714ac8ec6a6149339304b8ed17

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    83013bb49262fccd5f50d83e8125e78d

    SHA1

    4cc44c01dd222c56f65fe85aea891d6a85f9ac6e

    SHA256

    e06920e3bc7d0b4711791aab03bdd52674c1c4321ddad9acb4ded3dd703a1ca9

    SHA512

    80231f95f4a8ca31d4ee28f255410ccffb2cb272aeb055995cc0d8aee15522b6e87aa1d4418625e4d0b3077d3c083946c21fcfac5eaef6979934916faa4df198