Overview

overview

9

Static

static

3

5d44d931b2...0N.exe

windows7-x64

9

5d44d931b2...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d44d931b2aab85ab66c3806c6aca850N.exe

  • Size

    4.0MB

  • MD5

    5d44d931b2aab85ab66c3806c6aca850

  • SHA1

    fc51cbe724e9be94a9a3ab061c4693c75324d41b

  • SHA256

    b31f9d02c756e95a2eba310bf583e3a0cf97cfab0668751c7ccb6f9197824d34

  • SHA512

    a38306f47ad955bc5fd0d9dd6d32dd4ceb8979a2bd6a9ac53874c6e0e25fd3705737fa73554a2cc4d5a67cb31fe7695f7379696a3f7dea7a6e537900c8310f37

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp7bVz8eLFcz

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d44d931b2aab85ab66c3806c6aca850N.exe
    "C:\Users\Admin\AppData\Local\Temp\5d44d931b2aab85ab66c3806c6aca850N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1944
    • C:\SysDrvQ7\abodloc.exe
      C:\SysDrvQ7\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZRH\optixloc.exe
    Filesize

    4.0MB

    MD5

    16ccf5f67f9282b30e6a5f4af5270f50

    SHA1

    68447409565fe05072bf9f2e5ab6c808cdde3588

    SHA256

    8a2c86f7a9d52c2ccc8fff1c540155f993fcd3b74ea6856ec35c0b5b70c3c77d

    SHA512

    17d7c9d9ee1c0bb061ec5aaa3b060aa8030e9197dfa4a700080dd3ca663bbd3176e55487e505ed460a4b137714a87b062505760e25285e888ea793302c475921

    Download Submit

  • C:\LabZRH\optixloc.exe
    Filesize

    4.0MB

    MD5

    a775665d94f8b90242629892e759b611

    SHA1

    ec17cd80bcf761f5face94c40137108461bb9239

    SHA256

    4c2fcdcab81da638ed589e971da36cc4be80ac57d47b3211c362b0d138e08ac2

    SHA512

    d5e0db5ef35ad418c3eaeaa3b6473179c7044e2a8f2067680ad5342a58d51942403946a788ea15d309f10a7df6134c65fea44ec23077bdfc57107eede5864e48

    Download Submit

  • C:\SysDrvQ7\abodloc.exe
    Filesize

    4.0MB

    MD5

    7fc06c8e715168f0c2eac7fdeaa4ca80

    SHA1

    8c06c6927011bc4a120b598013459ad8afd55076

    SHA256

    f5dd77f083b57324d5019982d4c7af5b38fa71080df14937d96fb6252d614e06

    SHA512

    76ba87671817031931c5c2d2e22c111d8a17a4c5a0b17653b21b30682a4be1f073fdb7e646024c646855de65a224ca26b45418c29784b91dce0ee6e693b6abcd

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    201B

    MD5

    240efbf74dfda21dd3aebb3e8d349b62

    SHA1

    8924b8bd737c4a75cfa73738fe76e63862bda40f

    SHA256

    ec4121bc08693da5e0238c932f11c50bd797b211d4d9c42d9a836fa3536099e8

    SHA512

    9bce167b905cefdc3e965c8858138c39b3562f41bd395ff149f883968e830ec019584e09985eea848b04ed8c5533e56c5560782370f231a08ddeb2f07d3677ed

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    169B

    MD5

    dc1f0e7eecc185b1e94c3cd75d5db4df

    SHA1

    c7507c5bcdbb85e4c550d2109abec0e5da53787f

    SHA256

    4e4128c604208368d69b41017bd16f04eca1876cff6feb2067baa166f67eabf5

    SHA512

    742fb5eb623b048adc4dd18dd2bc2ffabfae04578bebaba26666c0fe1ec87bb4ef88c1cd26a3bf3d1dca9943d47c64800d01fd0dd5020fc7c780505c569e52a0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
    Filesize

    4.0MB

    MD5

    a0a7e55c8dc6d40b208d768685be6fea

    SHA1

    af5dbef3dc7029f6d41ce0c323d4326780f397b0

    SHA256

    34a4b35cdc527ba34f7d3bcecd446c91247185c87c7a930e009cabbc351086be

    SHA512

    e698dd3b152c8f6a7121bcd98890fb1df0414daf039c8a3e9d21652a9f7b3550983b9ed833afe24c95401b704d7cde1e8eea7c42d8d6b4d2d0a0b918d4fd2237

    Download Submit