Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:10

General

  • Target

    424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe

  • Size

    2.6MB

  • MD5

    b7964b6f0b7d2d2e63446814b957a1e9

  • SHA1

    664f2975d8b21db19df1ea3c9325da2852d7f14b

  • SHA256

    424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d

  • SHA512

    713e89f3c805348f667ced89466ba956422cbe4e0002594583bb103620a185235a18a8bded5ee1d1b95a846e29b0d8229c7623d861700af208b1894e71d9c263

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSq1:sxX7QnxrloE5dpUpfbV1

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe
    "C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1740
    • C:\SysDrvPF\aoptiec.exe
      C:\SysDrvPF\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintKX\dobaec.exe

    Filesize

    2.0MB

    MD5

    b54ad1712658017f59a83d6d1f5c7102

    SHA1

    693b2a2c290128462afa4dbad07370a4b95fe61b

    SHA256

    de15ed69019f61fe8006d2b577be4f5afabcf04df07ad96a369c468dce1562ab

    SHA512

    fc5c005e84068a70076403891227ce95a819b8d08002660cd7031ab8fb596cc01bc13d891e8913bd29721d21c82a57bec183bc8eeeaae1de3e92eb29fa8f184d

  • C:\MintKX\dobaec.exe

    Filesize

    2.6MB

    MD5

    116a1f0d2abd41d9560e0148f36289d4

    SHA1

    ced11fe4f937e239a4ffdd373f94d553bf1c089a

    SHA256

    0c386aada49c785f6f60a405e270feca7e6d422c95999dd4f7f7b1d228415cff

    SHA512

    2caf9ac43db0963e1484d166bc10945536c6271206c345032f759c27ede1cc161bfc2d7bbe9b6b7142de96b7e22865e5f0b5f8074e85cd03e1c19e397117b28a

  • C:\SysDrvPF\aoptiec.exe

    Filesize

    2.6MB

    MD5

    427207ebd81c4d7dd81ddb57cbdc84dd

    SHA1

    d9fe2718a7c9352f5949b63ce4c35c67670b9768

    SHA256

    4e0328cf1befc01047597ed2fef37cadd18683fc649e36cfe77580f07392ec05

    SHA512

    b45b76b29e878a821405614e207c1f4c0989fe39cf919f8b0779f072664ae8e6529567ffe3e58bf735b34c3038c330f87325d68768f40838102a16c67cf6c9aa

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    8c13cb6caed88915bcba112219bd7a36

    SHA1

    53d5c92302680948ca402d18b092b639619e4340

    SHA256

    b3950863393afd298b9c85e0d11dab42485ce33824e359c63782b89b7ac44156

    SHA512

    107bd85ae483f58dba0d251bed14f22c7d0454a5237ea3a8702e6104e92a395a56df05b23c8f8dc843a47fbb49aa629a0665cb803c6d6ebbf65d8c70d2685215

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    1761073168f44ccd5dca8df7fed16b6f

    SHA1

    dab49542349fbde04a67393418ccce9ab9121450

    SHA256

    f2228763ac78e0518187b83cd5e03d04bbbdb062aaf133f8297833443386112e

    SHA512

    4cfb9a3f507122e7dcde4e2f6cad21b2df3681a033eedf37cfa482115401fb07a0f461a0d89a53af7876e0fb619bb5904c6902cffdb3960c1beb9c66c28f98c2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    2.6MB

    MD5

    5f8cf35d0a1bd3fc809198263e9cbc37

    SHA1

    0c73f2ca5429189fd1f71d68302bbbac7e944709

    SHA256

    03af1ecdf955906fcb3b3a8aac75857431419c6193c12c6107edf84752149030

    SHA512

    1f17e4ca83f0755eda82bfade785836e2797b690083b3e5a0234700688988e2ae624345122c7840b1b08cbf60c7a4a93a804b64a45caf7600e972f77d8e6e0a7