Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:48

General

  • Target

    fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe

  • Size

    2.6MB

  • MD5

    70e4a479abe061eef8ae8a00438c0e26

  • SHA1

    8e44b2b251cde8581f0bceffd66a5cc2d7e785be

  • SHA256

    fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f

  • SHA512

    b57b61d6a477705f50b441c63924c5c76ec08279afa6df18f524f70f0b614f56b3ca1448f20bafe59717db55a6aaa5d92990231cba9713c86e7c97e72c12e33e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpSb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
    "C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2564
    • C:\FilesFH\adobec.exe
      C:\FilesFH\adobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesFH\adobec.exe

    Filesize

    2.6MB

    MD5

    a786ae78b0b320794c8b6c0788854ee7

    SHA1

    2b42b61be6298fdc1539359f1bfafd9a7ac38bff

    SHA256

    8fabbdcff5729643532f7e17a56b1e2e7a940fb1b8e65ca7497f75c146b43e00

    SHA512

    7395f4dbb416dadb92bdcf9691f7e26e00e872dc1694f81a4ccd7ca4a493a6f337446891c93ce7b97425ae643985d90c2e998da32055e4800e46d3af5533b70b

  • C:\LabZ60\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    c52b6394b49b47b3a025e0fa69f7a226

    SHA1

    cb6c9cf1aa784e2f40e207aa9613e7c044f45660

    SHA256

    fcfa93ed0f6bdee482ff7bd2f077fac8830d40e9d20fb5c03367fccf5ca3e577

    SHA512

    bb73af13ff364719f5f7e7c6c961084319462baad56e203f20ee104e31f554d58833f1bffdbc6dc5f5bf07f20d89b2294594a1b6b0985916b5e032ef8ba0d44d

  • C:\LabZ60\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    c5b73bb87dd9c7e91f48a42191d0ec6b

    SHA1

    e50d1148e80aaf0a9c4bbeae334caa42d49115e2

    SHA256

    6ef68426f1e6599f61fca185a0fdc3043a8b90b0191616c15dd4fd47a674dab4

    SHA512

    24bbb3638ee625412aa7a39d837241eefc5cf7f19e021f39da819f7b79362a9c07aa6f0e533f396a343e7748753b23100221ddea677bc9c5abb3ac7d9ab09dde

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    c44daa244853508c30356194653b082a

    SHA1

    0192eed409e4656d33230ba8706975fc49ba7b75

    SHA256

    35bbca254cb55e01a75be832772e46072d303e64e10e7403bd2eda2cbd246622

    SHA512

    c77beb7ba86a2016a49cbd89448f72544bbed5c309a52382d79d19e954ef302ab975c0f1e9e67a8a5b3a39be42c33edac5010e293d4bd466ca02dd0f1b7ea826

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    e61139b6d7046f6473c20678d8854006

    SHA1

    866905a1f4cb765e796c2b7da435156d29c9ad7d

    SHA256

    c098686d150c2803216769eb1b5b40f335bb219fd00de203a38d4ef47c1f1996

    SHA512

    74ce4ade0b6b126ce90da595ba241e6b0f0b3aeb8284cf021fe2dafbbfa9fc164c7342a99eb35658601c014e40a6aaac79c30d7d7390a58b29820e9633a17ee8

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    2.6MB

    MD5

    e60c34b738f7dbe687dea40e058903e0

    SHA1

    70f66efb012f70a63199c2e1ae69167636e6f2e3

    SHA256

    54a0ad41cf068f46842fdf8ebde88d9c08115cc82b3398a7326253d0f4afd2f3

    SHA512

    fde0296b7d9a631a0bca2ab047035de2acb979d3d286e8d16bef56196d71447e9b57b82c87b8adc3e1b647bb9089ed1969d9308937cf9a3302d5d428744b25bd