Analysis

  • max time kernel
    120s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:03

General

  • Target

    9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe

  • Size

    2.6MB

  • MD5

    01f60557ffd5707eeb3f3f0beaea875e

  • SHA1

    500a7b246bd9b0f6eeff18098d5b347103e3e447

  • SHA256

    9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6

  • SHA512

    65c4e81051eda876f55a2bb6d8e9b2081de730670e57e670d2a7c9c4c782724dbd099d9df5d4c89a9cc6a91f999088cd0d4220aba6935465b3a0aafa0b2b13d7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSm:sxX7QnxrloE5dpUptb/

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe
    "C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:972
    • C:\FilesSC\xdobsys.exe
      C:\FilesSC\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesSC\xdobsys.exe

    Filesize

    2.6MB

    MD5

    1b98da710b7e4c97e0fe5e64d09c5595

    SHA1

    d07f1f2dda13dd93972dbd74b7e35be0121445f8

    SHA256

    b7d206bdfca50ffaf078bad890c2429f8128f9a86e76bb4bb97d74bd4f7d7a0f

    SHA512

    4adcf16e2c213e44139b9b2408ce31ffc80ca0c0d61f9d648a31b2cb615c53192a959fbb45c9ead6c6c13f55407146dee2c1949a9b3f2cafcf8dad4c4c7b379f

  • C:\LabZ6O\bodxec.exe

    Filesize

    172KB

    MD5

    906e3595156f9e420811629768bf2c11

    SHA1

    e7fee45fcf34468246ba5185127f2751af0c33c5

    SHA256

    8a64cd9ed65b9872807349266e85034ffa20b5bb92e12263ee9ba6a0b72c0da3

    SHA512

    dfed7178e0bb47cb2c2e89e638a77874116c879c1120ac7182cc8052b222b24c7d6c6da840d97e84a9dc6b2ff4452ba7ec0a4d9e1f632a4105149ec942fe752e

  • C:\LabZ6O\bodxec.exe

    Filesize

    670KB

    MD5

    1406f16434002a4237254b696829cf1a

    SHA1

    a6d6b2aa509addb642e20b14b143f0b0272d934e

    SHA256

    b5cbd821b4aa397b94c4e7de6e7f2fe8a1ce68d8967ba7ff2d971cc4da2f432b

    SHA512

    cac2c4b00628d51c7b1873dc17c82aadec310a894da368d9e820050b5503c0c787a593b2ab179944f68c2fa0f21ddc5a7e2573a035661289165fa08d052ffd8e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    9ac6f8c366920e91f6835dd5bb9afd54

    SHA1

    e7a69d22fbf6bc8d8f349e65b47d0ea144411958

    SHA256

    857ae51c2a591c74c1abcff5f3a69544be1a7757cb5512d14e701392f8d2b108

    SHA512

    09ffb8931077a0dccb368cf131c40fe9e6030991e86506092d31db6b44df2975c24f5f1a5ddd34c4290b2d7884a9102aa4907b29d155a212dd7019865a57c1ef

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    029d6b7e2070177ae11ebe5b15e16b87

    SHA1

    e662ac80c221c19743e1eee01811893c406ba42f

    SHA256

    c46634033fd2513456b033e23010a9cff4c44231075d67596192500238f235c0

    SHA512

    907079615735d7d17248ddd3bb8d46a6133a94b21b8a5faaab4377f28b6078f433e4175052d88791834c727b6c626296dcf2356b4182081c7c37325e9201fb37

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    bc358f64838292329b4e0cb510f8059b

    SHA1

    da26e388421f9f8b3c7b9d08955b682557f95196

    SHA256

    cb45b94dd94525af0e96fadbe7020fbcadd084502082eee41a4831d6e9edd105

    SHA512

    a025f939ff84b0e043e26455a639bd12ffe1651332cced0d53549af2d712af89596678000738953d2605f7791958c034064e972a77074293c9bb8a5fc12a0a94