Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:12

General

  • Target

    b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe

  • Size

    2.6MB

  • MD5

    8bc258d93c9660e6bab845d73bf1741e

  • SHA1

    b20ae60359f874b72be577665ba9f2c1eef75a12

  • SHA256

    b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580

  • SHA512

    03716287275c54d878f34baedc60e265dd3f37394f175583c2ddf71827e23642d59365414f1617f09ce9a5b4d7649695bdd74f44ede20a3d6ce34deff65e8a9e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSQ:sxX7QnxrloE5dpUpfbP

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe
    "C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2104
    • C:\IntelprocTR\xdobsys.exe
      C:\IntelprocTR\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocTR\xdobsys.exe

    Filesize

    2.6MB

    MD5

    954651f7d00d3350594c12944fb2f9b0

    SHA1

    c5efe6c66b4ec6ffc2558f5452aca3bc836100cf

    SHA256

    7c1e922f41454239fe9b58c6f0642523def71218aace0f3ca0a10d75fcb32ff2

    SHA512

    38ac7473fc933c8508eeb4949450b0b8e163bdb1db087ebd0d6e8770d8c20da7935cebbed815389e417f984d487fd4f84369dac169c2aec800001c9761088c43

  • C:\LabZPY\optidevec.exe

    Filesize

    2.6MB

    MD5

    95ad5aa58c62b771b1327e70d47ad40b

    SHA1

    df42c055d2a39e205e849ebf838f8fc7d5020594

    SHA256

    b2baaed62f5a76863af5dc60c0cb415bc28ad2c599db3841793f2afadcfe0af8

    SHA512

    c6f418390b90758b048f847da8d1a89de7fd98e8b5b34a1b2da4cc2b2b78e2d164a651c129d7e54914a53740652ebfccf147a1805dc9d333f0ea631e9496fd28

  • C:\LabZPY\optidevec.exe

    Filesize

    2.6MB

    MD5

    2d3ad9db8a8a621130acb365546f89ce

    SHA1

    99c1811274afe910d71c8169aebe85ced123e0d7

    SHA256

    5631889a0d0e354f2ce334eb3c064ef01e7276937a23eeae6b79e06aa25367cc

    SHA512

    8e6915f41544101a9c0f2d360d56c813f98ec9f69a7b9436c749a024078d3ce19ed3e0086e79517f1ddc7933688033a79761cc2b4f30be8905f818f7a3458269

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    ca5d6a9470b6d5305d79fa33af8deb7c

    SHA1

    6384c27e3a8a5c9da9c6292e72d61a1eef5a87ed

    SHA256

    7f05b9340f9a0ccd9fafd7f67da610d792b7980413f15003588b66e2316b32be

    SHA512

    1583d62e172ee15bbffae15a40fbbaba25ad9c5b7da09526c90da2b58fa14258b60dfbb81abd6bf8f51e2252ed33712bf74e7038938aed160754383301276e87

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    f791eb6af039cbe646b3cd54cc906bcd

    SHA1

    6f156bceff6747e652ed203e009724f0b87ed0cc

    SHA256

    b34448bfa3fc25613666acf494e1e6469a4bb3b7c5da9bc67383d8f14859143b

    SHA512

    6116fbf29f9d4ae1e3ae7b396fcf0df8cb1856ad1bad18b7f25b7a100fc3269fd13dc488153ae56224f4127707f7705e7c9849cb06fc696695e282931d6628b5

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

    Filesize

    2.6MB

    MD5

    bb899895dc086b946535079615b0b558

    SHA1

    a7370f790e954929d740d12cd3f47140e2b29e5e

    SHA256

    45fe8e43e996dceb53fd70eeb1191e6ab6ba3e906b08b91479b8beb9aaa13471

    SHA512

    aa830945b206dfa4242f11619852516c61a03f6f362acf7754b3ad66124e34e591ac09cc34eef3e1fc52231dbdd8fa9f16cb2a6d2a99d33be24244e5f7307a8f