Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
Resource
win10v2004-20240508-en
General
-
Target
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
-
Size
3.8MB
-
MD5
7119474195def2bc277329642d74f37e
-
SHA1
8c9aed1f5b9183af9021ab64641a792000ec3f71
-
SHA256
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c
-
SHA512
20bbf648aaba9e02a573feef5e539e98820ae7ea517f5d9360f9ac1107bdd6881c834cac2b4059c77c4454fa753b51180fb90409411c4dcc4eb23d302c9536f2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe -
Executes dropped EXE 2 IoCs
Processes:
locaopti.exeadobec.exepid Process 2284 locaopti.exe 2616 adobec.exe -
Loads dropped DLL 2 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exepid Process 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG8\\adobec.exe" b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB84\\dobdevec.exe" b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exelocaopti.exeadobec.exepid Process 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe 2284 locaopti.exe 2616 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exedescription pid Process procid_target PID 1608 wrote to memory of 2284 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 28 PID 1608 wrote to memory of 2284 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 28 PID 1608 wrote to memory of 2284 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 28 PID 1608 wrote to memory of 2284 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 28 PID 1608 wrote to memory of 2616 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 29 PID 1608 wrote to memory of 2616 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 29 PID 1608 wrote to memory of 2616 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 29 PID 1608 wrote to memory of 2616 1608 b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe"C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
C:\SysDrvG8\adobec.exeC:\SysDrvG8\adobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD570aa8c198830a2b01c12da238efea175
SHA10359588c88dff1aead5a9d5775eb458529dec140
SHA256c64518595965efea82f4b83c62f1bf2e5f3b5d2e7c23350f5b546e873bd095f4
SHA51216fcd7786f20d642a6e9f45e91e5fff33bf7195314aa2957697ea3642e3baca60c59300d26d10305590337134f2f57b22a3189d9f032504336e1a08a99e05c79
-
Filesize
3.8MB
MD53096be6033ee11a269658c9d93308c8c
SHA16415cc31eb30268b1d4ec5b0e94e499c973e62a8
SHA25695fc50e0196af9c373a0409002cbf4b53736d0f5e06b0c1817cd448726755539
SHA51277cec7d846cbb9b19801c29cf1799b0c45c7d81dd31fa2e659f975c0511ec34ef4b847a72c4af2ef3e7aebae29f12f2f5f953bec8bf41edc0d56ca2181305376
-
Filesize
3.8MB
MD59a850de66dc5881052d3985cff1595c5
SHA10eab63ba20131b91d0940c558d9b9698b2762a4b
SHA2562fdd05b6b95f444644c6d233141552a01becb24043e9f5494c0a8ad927d2ccde
SHA51247240e84c21ddd92c026393a18f289c83716321504d2c9117b93ff411e5fbe720831134d1606711bf381cfac96d10a2f5e2d71e8fd99d4824080f04543d7b92c
-
Filesize
170B
MD560c1dd32089c944620c893f9385c2974
SHA191beaad23a5b4a23dbb3278afa4180f5eadef3c8
SHA256bdbaebfac6e7c7a09c7e0a523aec9750e1a73391ea34035a59324b87efb43b1a
SHA512510eb25f4af8ba468f176307f044295ad40afc54dabffa3fa2a0167dbd739ad83f3f888336796704687fd508088ca20cfcf53785d6e4078b70541abb7e6d77d5
-
Filesize
202B
MD5e2893893f67d4902ff0ba08d013e1633
SHA1ef8a23af61a5e57390a8d9217ebceefc5daf996d
SHA25672325e0bfbe5593c0ad877e889430f303427ab36b94bd0766462e40308c4c7aa
SHA5121cbcdc63366abb686e39d464dacca640d2a133f48d541e1d195fadf758deb9f3f0b88a2dfc65102eca2814af140c60d348849fa4f78bd1f93a50c836293c8ba8
-
Filesize
3.8MB
MD5fe8686c392b95dbcd651829dd843f69a
SHA1e74e3702ffc9a93d444429fbfda55926b0f7b037
SHA2569f46962c20fc8a01335ee0b0d793e276e4b03f196c5c88058bc932187e12af80
SHA512a66ce2a0151c6cc5e26b2f773d52328cfb95844d3b5c6750b67b4d0f1b53c0b0210a575d0f68dccf17d91748bf063cb944824421ca78bdeb835c59d852203e5f