Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 00:16

General

  • Target

    921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe

  • Size

    3.6MB

  • MD5

    946e96ca62b871e3e14e970df293a6d1

  • SHA1

    677c41095bb811335f9c32d2817b9f3939ee37ea

  • SHA256

    921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d

  • SHA512

    3a1fcb107c961178251074d3eaaf65ff0b7b809b0ed012bca9b8c28e56aa166c3d258b8b613ef9a871fa83c4edd0f0012a71771e88ff4fea971e7726d3f95f03

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
    "C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2836
    • C:\AdobeTN\abodloc.exe
      C:\AdobeTN\abodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeTN\abodloc.exe

    Filesize

    3.6MB

    MD5

    8ac3266f49c64040c712c10fc234c62f

    SHA1

    7e8e28c6cc34379dc2340090a3cae4aa5cb3b017

    SHA256

    58963c6000ddf5f43015834126faeeddc22046492ad23ab5dba6f201da9f7d65

    SHA512

    d6abcbb842d9d1f686729b3b49c99b4b3195b3237a50bd265ffc881d66c92c120b42200a4e13070cfed1f2cc5905949742678a05ec0797401495eb2e4e10f38e

  • C:\LabZN9\optidevec.exe

    Filesize

    1.8MB

    MD5

    a11f76255b9ca6234bfd6aa66474643d

    SHA1

    e3cc3fe2e8e1a624e3288e828320a33d91a8d733

    SHA256

    2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6

    SHA512

    5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56

  • C:\LabZN9\optidevec.exe

    Filesize

    3.6MB

    MD5

    57b7a8c2696bdf520d0f67ec94999e80

    SHA1

    23193cc5ecafb03d3105652c63d52ee8471d22a9

    SHA256

    22db315a118f6a5505dfcc74d0dbfee8c6d1ccce5e4ba303feb64583d8d282f8

    SHA512

    82eabe55726f3c2e31738392a10fda92aef9d6c0b8d019b508e199126d6f576951fd031ce7e1a1019ce18724265f381faa0403a6c3880177472e7df20998fdbe

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    0a6940abb8c4b928ae79930eaa0e920c

    SHA1

    1051245de4f6778b6dfd598fbc79d42c76c99366

    SHA256

    cdb565e608853f589933073e9803e1aed1a464f8ab2523fbd9118edcc935c388

    SHA512

    f1f2920d5c3c6d3ef36472603bb58795464deecfac141f3ebd82d5c6f7d66d76aa07bbe833795a1e8f8fd8e8ba90b3c8dc26a97fff284c7a8abe251f91365115

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    684aa04252a9a110fe80d069dc598804

    SHA1

    6be7db7e9e7bc03f9dc84508cd8b3b756626a0e1

    SHA256

    1166674a2b3e1d233e73481a797faa9f62ff8fe6ec825e34586ca527c9edfb09

    SHA512

    a739ddbcd21ab94f5d9018c8bed2de84febd0f4885558cec6dbcc694ca892f84a5b8ddcbbabdf76bb2166e8c6328da014896bc0bfe8b1c32260ecb41aef56cf0

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    3.6MB

    MD5

    629d20ca24d7ce9efbc01469e7aac3be

    SHA1

    1369227bc1e0b951dbd2e11fed2be193f1ccd9ee

    SHA256

    24d0f43a381c1eaa0dc2a821738982753a3882cfddd4b58935a014a8a62b2d84

    SHA512

    254f7328b8a47de90fc80aadceb79b4fe7f814906fb93b62e72b84bb6617742d29d3a7ff70eaa2af04c2831f6c9c7418eae3a2458f3edc9b962a6cbaa13ce9fd