Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 01:40

General

  • Target

    b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe

  • Size

    3.8MB

  • MD5

    7119474195def2bc277329642d74f37e

  • SHA1

    8c9aed1f5b9183af9021ab64641a792000ec3f71

  • SHA256

    b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c

  • SHA512

    20bbf648aaba9e02a573feef5e539e98820ae7ea517f5d9360f9ac1107bdd6881c834cac2b4059c77c4454fa753b51180fb90409411c4dcc4eb23d302c9536f2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
    "C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2284
    • C:\SysDrvG8\adobec.exe
      C:\SysDrvG8\adobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVB84\dobdevec.exe

    Filesize

    3.8MB

    MD5

    70aa8c198830a2b01c12da238efea175

    SHA1

    0359588c88dff1aead5a9d5775eb458529dec140

    SHA256

    c64518595965efea82f4b83c62f1bf2e5f3b5d2e7c23350f5b546e873bd095f4

    SHA512

    16fcd7786f20d642a6e9f45e91e5fff33bf7195314aa2957697ea3642e3baca60c59300d26d10305590337134f2f57b22a3189d9f032504336e1a08a99e05c79

  • C:\KaVB84\dobdevec.exe

    Filesize

    3.8MB

    MD5

    3096be6033ee11a269658c9d93308c8c

    SHA1

    6415cc31eb30268b1d4ec5b0e94e499c973e62a8

    SHA256

    95fc50e0196af9c373a0409002cbf4b53736d0f5e06b0c1817cd448726755539

    SHA512

    77cec7d846cbb9b19801c29cf1799b0c45c7d81dd31fa2e659f975c0511ec34ef4b847a72c4af2ef3e7aebae29f12f2f5f953bec8bf41edc0d56ca2181305376

  • C:\SysDrvG8\adobec.exe

    Filesize

    3.8MB

    MD5

    9a850de66dc5881052d3985cff1595c5

    SHA1

    0eab63ba20131b91d0940c558d9b9698b2762a4b

    SHA256

    2fdd05b6b95f444644c6d233141552a01becb24043e9f5494c0a8ad927d2ccde

    SHA512

    47240e84c21ddd92c026393a18f289c83716321504d2c9117b93ff411e5fbe720831134d1606711bf381cfac96d10a2f5e2d71e8fd99d4824080f04543d7b92c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    60c1dd32089c944620c893f9385c2974

    SHA1

    91beaad23a5b4a23dbb3278afa4180f5eadef3c8

    SHA256

    bdbaebfac6e7c7a09c7e0a523aec9750e1a73391ea34035a59324b87efb43b1a

    SHA512

    510eb25f4af8ba468f176307f044295ad40afc54dabffa3fa2a0167dbd739ad83f3f888336796704687fd508088ca20cfcf53785d6e4078b70541abb7e6d77d5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    e2893893f67d4902ff0ba08d013e1633

    SHA1

    ef8a23af61a5e57390a8d9217ebceefc5daf996d

    SHA256

    72325e0bfbe5593c0ad877e889430f303427ab36b94bd0766462e40308c4c7aa

    SHA512

    1cbcdc63366abb686e39d464dacca640d2a133f48d541e1d195fadf758deb9f3f0b88a2dfc65102eca2814af140c60d348849fa4f78bd1f93a50c836293c8ba8

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

    Filesize

    3.8MB

    MD5

    fe8686c392b95dbcd651829dd843f69a

    SHA1

    e74e3702ffc9a93d444429fbfda55926b0f7b037

    SHA256

    9f46962c20fc8a01335ee0b0d793e276e4b03f196c5c88058bc932187e12af80

    SHA512

    a66ce2a0151c6cc5e26b2f773d52328cfb95844d3b5c6750b67b4d0f1b53c0b0210a575d0f68dccf17d91748bf063cb944824421ca78bdeb835c59d852203e5f