Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 06:56

General

  • Target

    ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe

  • Size

    2.6MB

  • MD5

    caf5d388c5a5e9237a3784652b0950f9

  • SHA1

    b73e6c9a785b8c73a1f9651564f2d5dfe2a8260c

  • SHA256

    ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147

  • SHA512

    612c52a29ad2f27af169a59406af1e6275a213c21cf9d04392a841772022d83e9ca19f8dd90e1bf4d3af9f5415e697c11f80a94a0c1c86d191c2b68a0304d605

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
    "C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2728
    • C:\AdobeTM\aoptiec.exe
      C:\AdobeTM\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2732

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeTM\aoptiec.exe

          Filesize

          2.6MB

          MD5

          9df65d4209bad2446dd1453034970c40

          SHA1

          d9cfbdf63e6a101ab5b0e9b29f026facb5a5a5b1

          SHA256

          ebe8444517aa06fa4efb2839387ee6e862c5281d5cfa3f1fece60535c46fbb1c

          SHA512

          7f3f40f5f0fc6f44d9a4f4b0b1eb829e7a0d9275aecdae13a86512eb719a68d6bc7f59b3ec4375752f5ec050787e4bea352d3c9470169bf0a231d6b19927a86a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          93bbc64f264d9c06306980477aa70fb1

          SHA1

          bed619621f8ab125bcf8dd7cb9cffd8216171ca6

          SHA256

          c5bcdf0d57c5b357fc32c20cd21c74a91da29e941e930cbbeae6acb31c57d20d

          SHA512

          e3f5bba6f07a147e13a1fb8e112358fe3bba740e5f9ea18d3116ed5f397920d21acb554772e684e9daf2eb27cce58521e2b9aff9b37d0dc05a6c7632243221fe

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          49cb415ca76dedf6dc9bc7fc54aaa39c

          SHA1

          db364753b14853cad59339b2be28dd6b01491e42

          SHA256

          6a6a03b381b39ab4c0dc6ae95f3952068bdfbacd65167ddb5aaa96cee741c2ef

          SHA512

          53fd7e1b2629270054fd753c52a0036cc4031eae49634c6ca3e178859e7b42256f78381220133cd79af54e28aa738c9333cf3ce84722f2157f9590059bf132de

        • C:\VidR3\dobaec.exe

          Filesize

          2.6MB

          MD5

          7ad023471e0b78aff9d6fa68d59d0a77

          SHA1

          6da48e06cf376b32bcbdfc7576e8505aad6d2bda

          SHA256

          fc79329f711c40584278e468042a9c8501d141c34cc141acf08aedd5a2f19e10

          SHA512

          e6b2b01b1afa948226629e00e735be539ae7bec0e41b27ca3ea7da17158029f29613a68ab800ec7cad0488206fae0a8aaaf29d39db2e2262fc338285f27f0dd8

        • C:\VidR3\dobaec.exe

          Filesize

          2.6MB

          MD5

          853afe4a94b99819e3842d46201869f1

          SHA1

          e95b274b4280e634be604c7c268000fb39bf5c22

          SHA256

          5c3cec46bc1b4ca0d4ab43a6b0af7034a5e1dcdb4f51c3a78ef3fac3343b0c3e

          SHA512

          e8822fdf14bad941d6c17e5b0946adb6525a44adb36133a418e4125c9aef0e81ac7af65e492492906ae10f4f90bbd4e2a55f0031b5d1963697c6ba7bb76c8bde

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

          Filesize

          2.6MB

          MD5

          52d27372daadbeebb2690846e2e5c197

          SHA1

          f620c48c7fef857d1e732a8433de0c84db0d32ef

          SHA256

          32095b13d2ca1fd0ad0fa4ee0af5990b8e00d1f692db99eadaec6194809bb664

          SHA512

          eca6913787befb5494e46627567c784d9834fc2021465f7ca1c01eb987b59579c9734bfa857fd9b7c91636823cce13a66f5d5e65f1527d403f5063261f626a31