Overview

overview

7

Static

static

3

1e8e3f565b...b0.exe

windows7-x64

7

1e8e3f565b...b0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e8e3f565b7b9061f49d4be4a1fcd5d5d787b60379c860067bc676b8bdd350b0.exe

  • Size

    3.1MB

  • MD5

    6d2b497fe276edc9a05e2047ef8184a2

  • SHA1

    d74a1a97d86779111c18809a854fd575ffe8a7f9

  • SHA256

    1e8e3f565b7b9061f49d4be4a1fcd5d5d787b60379c860067bc676b8bdd350b0

  • SHA512

    7577e52e14665b788c5f27693491c9eaf1351267a1f11fff45765f8023136b1597e3c14c9b5e95c21afe83328433ea34b9564ce1a9777e84f31cd937323240e8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8:sxX7QnxrloE5dpUpVbVz8

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e8e3f565b7b9061f49d4be4a1fcd5d5d787b60379c860067bc676b8bdd350b0.exe
    "C:\Users\Admin\AppData\Local\Temp\1e8e3f565b7b9061f49d4be4a1fcd5d5d787b60379c860067bc676b8bdd350b0.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4236
    • C:\AdobeLZ\abodec.exe
      C:\AdobeLZ\abodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeLZ\abodec.exe
    Filesize

    23KB

    MD5

    92e05ba3017090c77842fb48869867bc

    SHA1

    6daf02c129156f59bc6defa6b1f3a93c9e3e8df6

    SHA256

    194123ee36bc4cba1627c299fdefa4997784b9500b613312e45794c77ac92b87

    SHA512

    26dfc6a1ba28fc660b5ebe9ad0ba738c63153219c91b3eec80a3228467813965cc374edceb619f3c6bf17e6d8df54fe902958e15591873b3893d71ccb9cb020c

    Download Submit

  • C:\AdobeLZ\abodec.exe
    Filesize

    3.1MB

    MD5

    2ca5da903af0a1c182947829de468f28

    SHA1

    c78dd90f170fa21491b507435d8b4886a25c11f2

    SHA256

    ba63c21caeffc44d8cc2872fe10dc53308a01a6cf5ba94735c97e6144716de19

    SHA512

    9b64a49279028219535c432709b26e5a570d0aa8d52bc6de127b6d1ecfcf0b0c5950c67d662b2e683fd2ef1c0d008b01f633322f6367a996ada3bd80b81d81f4

    Download Submit

  • C:\KaVBFR\dobxloc.exe
    Filesize

    3.1MB

    MD5

    e4df22ccdbce30fb1e52ce5318d938b1

    SHA1

    3e70bb9d7d9f0b9f7f8f693592d20d9c326f57f5

    SHA256

    b1ed02df0da2dd948f0a3092901e598ee4f2226e7071c6dd3b0d394b8a9597bf

    SHA512

    aea69fe2925d14f4356a4a87a3b7d2c1113019f5a3f0d51bbb39deab094c401fec62d6626a63cd7d040bb119ebf2dd0d3261b1ff55050c59684222d0cdb3ece9

    Download Submit

  • C:\KaVBFR\dobxloc.exe
    Filesize

    2.0MB

    MD5

    26dd35a579fe64521155d56fb2165430

    SHA1

    f4c6f3c0b443ab8c435d4073e512c40c1534d408

    SHA256

    543e365d730213cdb3969fb30e7a2127171cf5d8ca84837d5d0559395d3bd582

    SHA512

    6d75a3878462e2d3d520d6424d92e59563e9b7d372ba37b3d0c12ba10d33c127c87ea09f92ba306f61efe83d7715ee1e00264b144e1514a9bd883e9cdf0f7976

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    201B

    MD5

    f77d5811efc3e3c6b1dab8160fb61221

    SHA1

    6cb1d74179d6455a79515b2b0a04088542aab045

    SHA256

    e9d3b25476b3bd927456f009bb931b0ac5a6a38c439a397c37cb02c5f087badd

    SHA512

    b9be9202e36b3d6732153b5552aa3ef52b626cd5292696f7fcfd975450309f458f1df4707b78eeea656b820edca543662b60c5bf8eaeea936d12c142828457c7

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    169B

    MD5

    f0b279d03432cf45e21fe8473097b117

    SHA1

    a8527d3ac331c6dafa00a2e3120a39d7e8555e4d

    SHA256

    7cacbe84a25e121b02435bf5e976533583d5fed8e2ca2ea9988bf6c8c3f3a143

    SHA512

    89be33b40e6e36e48637af73bfcb2a47909b692f8a7cc558d2d3012b5c1a6fff5d615874957c3f2007386772fae8e9ffa3ed6b6e5880152ee9e5f63ecabfb969

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
    Filesize

    3.1MB

    MD5

    0ce2f0418516995027f7fee665011a10

    SHA1

    d97eb203a2e065d6f5b08090d9b79b64792f5a90

    SHA256

    a02323655a3110355f53ec6bf48a51329c5c37833cdf15d0452ca41a14b76cfa

    SHA512

    659939231e70326649ea64c78ef9b4f20797c7fd09aec1503effad39122e8c26961c2735cc568a3d4f772790c5a2ec8beb0e42dfac5c16eaebff8caa7c377afb

    Download Submit