Analysis

  • max time kernel
    119s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:04

General

  • Target

    f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe

  • Size

    2.6MB

  • MD5

    bd630a9ba2c922e4babf7a3500ea6147

  • SHA1

    dec4b426fed27ada83c55fe2d396ddafe14110b1

  • SHA256

    f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121

  • SHA512

    a90ff75ef556aead376959100774cddf3f3594b0d592f7be7f061604da065f02744c06e0c98e97e256e1ff323b39cb12477288641f31567054333b4dca4a69ae

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqS:sxX7QnxrloE5dpUpobVS

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe
    "C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:620
    • C:\IntelprocMD\xdobloc.exe
      C:\IntelprocMD\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxY9\dobxsys.exe

    Filesize

    1.0MB

    MD5

    e124cb2c9759a37a18fd0c84ae2fb424

    SHA1

    c117fe5a18509bd6c0514f64ddbb4d32cf31066a

    SHA256

    0f6242acca15715de0369288369db732b7b6b7387fbbbfaa8e49c7eaea17940f

    SHA512

    079ebeb0fa791ebbb236f3cd1a1f8dc73a322ac9f2a1e75e6c6cd9796791cf7eff6e9faed82991a2a13e741d531b3c70d63378888f32165d03e9c3abfc689256

  • C:\GalaxY9\dobxsys.exe

    Filesize

    2.6MB

    MD5

    df55c12afd39a2e1ff20b959c1cd88f8

    SHA1

    2f37c8d682564dc60e8b118d237b75f3dfbf0808

    SHA256

    8622aaa424f9b17ef65997bd46ee19ee8d2cafffba9e44e7b39b0af75c662708

    SHA512

    5eb8cca0c0f6107b0bdfb4360bf881d64fdcc00f159651f5568d2ee51900d94d9344881277895c07189cc3ca02af7d16f71162fe6e0a92300fd6b369bcbd5588

  • C:\IntelprocMD\xdobloc.exe

    Filesize

    2.6MB

    MD5

    3870837866b367b67edaa241e0e8197b

    SHA1

    6a6897a7a0d4ee36cbae7be4d988f86602624f3a

    SHA256

    bd3e620ce17d540b1e017f4cbae2f3fc15210a76ad65a3106734099af2a2b6eb

    SHA512

    2f3e961e506786c0b404b75c56e5df96dc4703f7d6387ce747461c7e085f8445d1107324a216bb0af692166595cb1a99e40f9ee58680e9dbaa96131a8cd1f70f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    206B

    MD5

    7032861cab850e4d076eb5f760b48bd5

    SHA1

    3deb78c850aae024ddaefcde5c029fafc4e021e3

    SHA256

    0b6aa60af03d77d53d0f4293889648d254b965663097e88d20be71ba0cf8f4cb

    SHA512

    e463f72a9d0a5156a2c2ceb288b470260963677d99222d9ad2f2c404cdc2eadb1a63578767d14697fec98582a6faa372b4c494ef32a0f9b80df222bdd830a4ed

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    174B

    MD5

    cb3b46a6307350e1195a0580cf66196d

    SHA1

    30929249c728b29ccdd13b39ca0d2f4a5c3abfde

    SHA256

    840ec4fca23d36a468107273a98cba761039aff701e64581312c793a97cede3e

    SHA512

    6242c296f72964c65810aaaf9c67244b482bf860ddcfd84be124f1b3d25ea6dd592bb007992fc3d7b7dd143469111cf3419d083dd92a8ff69910e38dcd5731db

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

    Filesize

    2.6MB

    MD5

    8a2470c1ebcad2acc61d636cfdb7b798

    SHA1

    5685578fc7200bc4dcd2888b5b02ef750ea11079

    SHA256

    4d8d98e66e392598c9d02f84a5dd841057e7c92edb17c713f3f0c8ddd18c09a8

    SHA512

    9ba37c751a9b2a8877646084e49146fdae91e4a0025aed4b0e8511a64e418d7263e2586aee0521159f0c0821da15229ddd736096193a1ef2ccbc55e704bdedcb