Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 22:36

General

  • Target

    5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe

  • Size

    4.1MB

  • MD5

    a26b0c1f30402f8b97054ea100d4dd51

  • SHA1

    1af814ab4eb518cf8916dcf819a680f93390fa8b

  • SHA256

    5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094

  • SHA512

    99fa76ca41d4f33999416b6256c6b839f71b4bbacb826d423f1dbe2b06f6adf1ee761970e13bba6b3de051e045bfa926ba01123d02160d26028924722b2ac8de

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUplbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe
    "C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2644
    • C:\Files7F\aoptiloc.exe
      C:\Files7F\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files7F\aoptiloc.exe

    Filesize

    4.1MB

    MD5

    c62540e7a8eed4eee2f01312d2097566

    SHA1

    6da763d1f1c49ab85861cca3144b2c5398326987

    SHA256

    9fdfd13e01e781458e9cdbb169e155ad84bf01b9e09d511035db546c0b70874d

    SHA512

    4d70d5476564b3b5485e46b9e5dcd37096efb276115b7cc265f4ded6a35d255daf792811ae6a9a40eb64ddf51853e875c712be509ce77ca1838530a5ff246146

  • C:\LabZWP\dobdevloc.exe

    Filesize

    4.1MB

    MD5

    c7d39515d485ee8e720ac84bfecf6014

    SHA1

    095e90cfabecd39a219dde693613a9210410b3d9

    SHA256

    533af5b0f3359f49af5521697fc3778cae9b00616e66e3fe0bcacdcbf019461e

    SHA512

    3ae77d6c0f49bd9fecbc4797e684ec50a9230645a07a3f95ef79eff026e2f8101f2fcc6000fdec57c15def663a331756465f42b7a93160c462d72212d1c1965b

  • C:\LabZWP\dobdevloc.exe

    Filesize

    4.1MB

    MD5

    df175b00734e83b413e4c41c7ed14028

    SHA1

    a45ae8b388e818195046b566969c4ea27272a9be

    SHA256

    fa11131d8e2806f4f4562e7c31e32d6b8bbac0f0e0908db58e489ebbfdcb1c09

    SHA512

    253cf3918622d496119d2c15c19a02bf4f2c082306da3792cac1d52f9d20adf76f315788ae791c4c574b6cb56608c60c7810dd1b60b6d46189b80d157c853088

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    1137aff61d3e35640787d47fc3dd3f45

    SHA1

    fce1559eda37f49d9c4d399cd2dd030826864545

    SHA256

    e92c3998425357c2a5ae3434350c36aeb3f27307657c4fadc13b2f935e58ee8b

    SHA512

    a35b9bfc15f6e7794b29c84f1a78f6bb1b18ea1114b577302c322a091e16e61fecf0ebfd6310872ad31bc501e492ddd1a051b0f1fbe59d0a44da162ebb380f79

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    6f886862188a350a00ad2f6efba62573

    SHA1

    d453b1736e323936c824193eaf91e13626f0e2ee

    SHA256

    b470a8a86d27ed907240eee705f04686bf504a5fa2ad03557d205ee9616317ff

    SHA512

    fbc29f9e42d3084e2e7a3fcb27e72307c6fa66daa1e1d96832d799eaee616304fcbefeafe0f04568c908e96a4c6f4be2f7bb213854c29f14ae0cbe095fb8533b

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    4.1MB

    MD5

    10c059b545b42df16c732f425068d56d

    SHA1

    60ddaa3ef16c7e069bac6ff2ec9faad9c95f82eb

    SHA256

    23ad1cbabbb7d44eb17e4236b64e82d2db1f3283c41725d778b7a7359ab52c8f

    SHA512

    7eeee4207a19155efc069eb1f011da7b4f5403283bb1b22a9bdf89d60c33b6e5f080a007f1b57d1c4ae8ecfc34b18790384762c91581d8f1a25208f07d0cac2e