Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:11

General

  • Target

    3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe

  • Size

    2.6MB

  • MD5

    3b729d280016cc0e8979dae8c6a180e8

  • SHA1

    30b36936fc95234716ce406a9a355a9ed0e7c55a

  • SHA256

    3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945

  • SHA512

    3c99688aa4875bb4b155ae0c9fb8fec5f9194f3feb8ea7a9e54fd7e085099d779dee8b8f9b0e15d8204d9b04f9301ef0db5a872be1dd64ae9f7ed677038165e1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS2:sxX7QnxrloE5dpUpXb3

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe
    "C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:228
    • C:\FilesV0\xdobloc.exe
      C:\FilesV0\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesV0\xdobloc.exe

    Filesize

    832KB

    MD5

    24743b623d803028ebfa9a7db33f55b9

    SHA1

    b0a85b0efee5a967bed2eeda097fede4ac8887b1

    SHA256

    2c68ca126c426b002ead74fe0a4d61a0d07a4e17e0e4863efa0490c250db3c51

    SHA512

    5a3cf2d0d652c0968922ccb764b454bca7c7cabd0e14428072d0d053d73380c56c1e2788b1aedf27c11f5ae0bdeaff7084572d2cd26667004a201f8283e607e5

  • C:\FilesV0\xdobloc.exe

    Filesize

    2.6MB

    MD5

    5c23441c2676864f4dd066e447853b88

    SHA1

    324b0e81e76c43efcba2ff9b287337477f4554db

    SHA256

    bbc774d62ce9bb680097adf723738e9a2cbf8cf511bc9fa4024c006b7b400d6d

    SHA512

    53dc4d50bb8d11a0795e190f3a82cfbc7ef1cc9eb888b33e3debc8f9dba6574aff841cf4258e7ba1a1e12bcfa679c6ddc24ca45882752a4e1848b19a6d7ab6f3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    199B

    MD5

    a8f166addde916b26053c38cd3971528

    SHA1

    6236d91a145d52260ce6fe984923e45fc75d490c

    SHA256

    0922849722a060b2715916d4452b4c13a26c0ba457461635cceb51fa8eb033a8

    SHA512

    3704b8a8856f1cda0f71ce99ee9664748331dea7915e7491918e7458c5e99fe6f92bb7cb0f0a3365ff8e9b9d920d35f2ad7c74c692df41775ec335f507254af6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    167B

    MD5

    3fdd0ff3e00b6bb9bb37037ab17aaf84

    SHA1

    0b4319f55959c57807234babbe497002010e3d02

    SHA256

    feb2b24d14a7eac2fc37d8a23343ba67f2a3ac25548e06b01687177ea70d358d

    SHA512

    56e2ddc428c841525ca9196f171f2df055b558439a8a7cfc6037dcc89ebb6a19d97244f11d0518982db3cdc5eff1e727a0d0952bc63eb05457ca405cd6baa760

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    2.6MB

    MD5

    5c2f5ab41697429f7f63681733921f9b

    SHA1

    b529728d5b83f9dd98f936fb522734c85dd490eb

    SHA256

    c0ca190a4d806f640db3541ab2a31287decdc8a1c6e4c6b30d7f987d0dbbcaf5

    SHA512

    63f1d91101b6b9b259df0f434dc682f65e0e3432d376dc17e9dea6a506b82971d69d15686828604b8854ea2cbbcecc5ab77dafcf3c97d1c4660b13358dce3ae9

  • C:\VidT2\optixec.exe

    Filesize

    2.6MB

    MD5

    8eefa0e13411448f98c8fab793b0ac24

    SHA1

    90c4f14cf2797412d59176f3c0a3739efe4b2670

    SHA256

    a9fa0e1a3168a59a6873baa9d421b2a34b6880f33950da003fee95291b38f5ec

    SHA512

    86676a5210ffd86f318aa2d84d9891ed369b2ac33c5524eac5e3cc7ead92cdb9d15e5f32c632d7a647618c5c9894ec275a4f03820f9e3dd7a11f36ba2c1ed35d

  • C:\VidT2\optixec.exe

    Filesize

    865KB

    MD5

    eb2c88a88106054717f4ca7714d1d1a6

    SHA1

    d966b53c1c3405f0064a963380548af1f6ff4b10

    SHA256

    a45804ed5ab85df12b20e083fb915d8088099cf81e6bf03c571571a68df1d3bc

    SHA512

    f3ac637c12ec7870540e88eb7d85297de70eaa220b8e4c208980600fd20db55ccabbf2cb7d463c33f15824b80d2eae9fd3f092ddf9b94f1360d515c5622fdc3f