Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:55

General

  • Target

    ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe

  • Size

    3.1MB

  • MD5

    2410c92d917a12b2d18a6742a7d69a20

  • SHA1

    385ec8d713f39b691ff3a86559d07d3a04742347

  • SHA256

    ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5

  • SHA512

    dc5d6622aacc9bfe92f283df7df6e464145195713f62ec76d58964903ef75e1d36fe434e27f2a10b0725bf8580ad06d242b88ca79135d56bdf5cecaf16896181

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpabVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
    "C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2900
    • C:\UserDotFP\xbodec.exe
      C:\UserDotFP\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4420

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintV8\dobaec.exe

          Filesize

          60KB

          MD5

          b3b7a9f5f3d17e3555825a59df9f2a7a

          SHA1

          6161f42b3651f2a4691dd863f579bacae1a8da4b

          SHA256

          9b8a5165f6ec39bf0e94858053b926663bff0d17eacc6095aa35c73a48e8e911

          SHA512

          5b907b41c898f42947fdafcdc4aad87678845fdd5349c6af1e82a3f2586cd17401c2a5621c3b4893aa92813ac1f0ced6b6f591d23027580837ced8108b4c3c05

        • C:\MintV8\dobaec.exe

          Filesize

          1.7MB

          MD5

          ced5548eab3b7ac2d65dfe4e79582ed8

          SHA1

          78674c5faddf5a35f2f09867cb5edead7a524bad

          SHA256

          e2b09e6b04e2c6d4183916ddcd2d02d16c47d6cb0c14772879c035ab642235f0

          SHA512

          1498c396d3ce702ae43428b9bc92f8fe5de3e675bda0701b9e7393b6c3b9ee5e6640d4a89a4dbc7c6410e3a2ae45315486e678b1814e2a048ce7f9d2ceb4a529

        • C:\UserDotFP\xbodec.exe

          Filesize

          344KB

          MD5

          8e8e820925103b3b2c083de15dd4fd1c

          SHA1

          aa18a08d1ecddb360e575e01031d95610bbeee91

          SHA256

          0005f03ffdb99aa9fada1ba622f464f235a8753c264f5602ca0c117e923bc155

          SHA512

          fda6d18e11d14947d4da5dbcbea8832355421c7688442975ef3aabf3db71fdca0b4f3e46f409cc7360914bd7dab11ed898afd8b23dd33dd247f0b20609f64fee

        • C:\UserDotFP\xbodec.exe

          Filesize

          3.1MB

          MD5

          0076d5f0cedd9343247fa2668549d1f5

          SHA1

          c22f8b37cd090c1b86e8a228be20614b71c6064d

          SHA256

          c3f200af03d9e719ecee4742f49f715062c3ecc67a1af15e96c2eb0229892159

          SHA512

          77b8bf4b2ec9031c84c3490fbecee3d7d6dfb03e36f0187337491b96a7d949417e5dc59bc152c215c5b6ddbb2cb02b2a082e38e1618a3a1a9dfe48495be09b31

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          0bf40e4d687a5aab43ed4e273222f39a

          SHA1

          e5494b94fb0a27010675ccb9527a3d19bd1abe6f

          SHA256

          03a1638138f6dc5f5857f3838d6b59bb8385c0d7032cae8ba87a53d656aaf006

          SHA512

          ee485649b3106cf7bcf696d4a64db51d927bd556b2c5e6fed64d59415e06f840e5bec2a00f39ddc7da1fa79cd3ae523e57fe3855639eb18cb2399db6437e7630

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          ffc7d599e6cf7b2deca03c55b77ef468

          SHA1

          fc13b5d737ee2e5e382274c0f60eb3a0748ff698

          SHA256

          3b16ea547d0f1ee08704b9bfd0a3daab1a4702383ce908d4e5cbe681be0f2365

          SHA512

          8d2a9c906b27f602bb83d8808b513a8ff1be1f12b8ab380807402a6f798fd49812c4e42e5c3fc298a347877b38dc50f1a0e1f4fd157ed500f9b096d65e2e394a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          3.1MB

          MD5

          9467251cfa809c9b6de8477a33868a13

          SHA1

          d6c66cf7c12f54d90da33c0de2f3be68f4a15c64

          SHA256

          7f140aa47479eee52119cbfac9919d93e742c76444019ca6aa9510464ce04295

          SHA512

          ab6abb5114c389060bb9c552481ab7a414c7e75737d47f3207c80b36ca3e1814d543b126d91a7ddbab0a319b9353a1fe7d3439d60230486a8c9018408f7225f6