Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:23

General

  • Target

    bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe

  • Size

    3.6MB

  • MD5

    d4c7e99f9fa1071f60f5e8be949a6554

  • SHA1

    dc7efdfc80aeab13dcfe9052135bd22757defe00

  • SHA256

    bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602

  • SHA512

    1f97cc9c34763dec1b0d7d21873d14e5d561e747f2f2c82ba6bc7eb48e29f3ad2aae88c3c8fc674440fc06c902d64260b815f1bf12eb335d87a794a5574846c1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNXJqI20tK:sxX7QnxrloE5dpUpNbVz8eLFczp

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
    "C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2244
    • C:\IntelprocBX\adobloc.exe
      C:\IntelprocBX\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2156

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocBX\adobloc.exe

          Filesize

          3.6MB

          MD5

          bdd5159659c3553b63b02402def48e62

          SHA1

          1652159d53a2a0536354ad663a5749a00bf3f773

          SHA256

          f9f3ae7544816c27d297838da0cc5771eca1e5e6aeb1977deb76c0a16753b39e

          SHA512

          d0f79ef3392ffc3d0164653656bf3ed43bad28a7a5cd0603681cdf933e3b3621f2b54ab929733240a4faa41e82c5772760d52b3b41690ee6a711a9cb73a09dea

        • C:\MintPN\dobxsys.exe

          Filesize

          3.3MB

          MD5

          a159bbdc930c70b159452e1bbfa22f9f

          SHA1

          b1161997c3c5ddf9fe1e4b01aa112df317d6ba75

          SHA256

          af7e7a3a6538b0ec5871eb43d412f6cfee0f7d39776891ab24d3fbe18f88312e

          SHA512

          d469ee4983500f03e0199c0fbc3b6ebaad5b8ee518a14eeceae0cdb2c2bcffc74e54937f05e7b7fffb48afc7b8ff924c45282877261e98bee84eb6496e9c7a83

        • C:\MintPN\dobxsys.exe

          Filesize

          3.6MB

          MD5

          d6be2cb3ef854fa57410fcf395c19da0

          SHA1

          2929e6dbe8e957759549d4ce37620ca7ba22f3f9

          SHA256

          0b46b81360203f4735aee07d025e74eda04f4e1ebea12741d4cecfe6e8390a9e

          SHA512

          b3e97823f1c3e0724b3e427cfcb4adf98674c5f352b2781b06a5a34604978901e92b797c7ccfe69e10820565f56fd1b31e48889c1d53e8c5bbb276400fd7c641

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          7db9c0ab0f642e3e8a79a63731f0ad7a

          SHA1

          3d8f606fe5ea9ccf85e9dc873cfa9674adc72858

          SHA256

          199700680c8b2ef7fefab12872c17a08d792b4876eb730b6d142073126b8eeac

          SHA512

          5ec18a7d97687b51900c9cbb5ee927a4011230d9c04809c3d09a935b31191e13d80f4926754bd678b997b1e8636857ffa8cfce56b4564b447eb9d6b204b724ab

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          e5fbd02c3fea7ad97c4ed2cdcd6da036

          SHA1

          d5aa9ff1295583ff1fbe64372ee27e17683fc5a9

          SHA256

          4a4e45f7bc5ac2e85f0e4cf0dc39003042820e678213d0068e9bcb49a2aab2de

          SHA512

          dd5883790f80720daab999ad752449f1264a2f66185c07e66339093e5e6350f3c1da624cfbee27547b602a2573436129e7d17e453a9c88f1923fa17ebe91f660

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          3.6MB

          MD5

          e17c37fbb7f98d4fef081bbb16aec72d

          SHA1

          dd36b8db73b31c3a98e5de85bd46b7595f5c0b09

          SHA256

          ce3f264497596ea15a0f76f8a3bfdd78efaf06c2d3226ca16414cacceed3688b

          SHA512

          125da137e3af5c03cc37193c959683d5825c41f57bc74c27d2e8116bb01275ee39000c22524f688aba4fab072a405d72fd513a70a10610d9d875de13a177536c