Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 08:43

General

  • Target

    1454ad825bd6c8f015b5b9aca1632310N.exe

  • Size

    2.6MB

  • MD5

    1454ad825bd6c8f015b5b9aca1632310

  • SHA1

    73715608800c2b1373ef1f4b3be103cfbc91b474

  • SHA256

    2491109e62f7dde2f006c7bf60827198115c20d6ffccd51a3a1e23d673fba259

  • SHA512

    ded941641fd3bced14ee6bf52a1a91da1803c3383c15841e8d88b1214043197051fc9f4101102bedca33dc8672c602325a0b2f89386d63fe4904b737d1e49a06

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpsb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe
    "C:\Users\Admin\AppData\Local\Temp\1454ad825bd6c8f015b5b9aca1632310N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1248
    • C:\AdobeK5\xbodec.exe
      C:\AdobeK5\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeK5\xbodec.exe

    Filesize

    2.6MB

    MD5

    90807cc3f1e3812d65582698070d402c

    SHA1

    8c0d40fb7be6b3f1e6fcf86790dfbe81b1589e93

    SHA256

    6d3259726eb8f7612c2a890e434e67fb0dc273df17b838a89e76dad9e4daa669

    SHA512

    ed5aafa397e58aa61ab3019a88e881f04ed0a001afb62c24147ea26db6d58236075e5b7d4f3d26ea45ada57911196c57aff414c39112eae7017c35c0d89508be

  • C:\MintGP\optixloc.exe

    Filesize

    2.6MB

    MD5

    92f96d5b50b62028f18cf2abed2f1e4e

    SHA1

    d4bef2528af92d689ab28fe680429a4b6e326fc4

    SHA256

    958c9b2685fd1654483c5de2c8fff280b1cea1cf7bea50110fb1eea851daf730

    SHA512

    788b0a541fc61385ea0e01f48686f830c35a35999e38ed7c26eb763dbc39a66a42f8bf83a2fc7a15e49e3d821c2100055dcc0f7c40f2a25b7a859d704a6a9a64

  • C:\MintGP\optixloc.exe

    Filesize

    2.6MB

    MD5

    7da8e49d1fb7ee1b6a31c24015e923d6

    SHA1

    7f9746254f1e8c1dd73d3a38ab3be30a37ebacfb

    SHA256

    feff384c8f820e384aaf09d667187cc6365b20e8dbea4af979ce7d1b71786554

    SHA512

    c96fd2405cbb49e40ef0574ad51630e68ec961395ad6424e3a24579032fbaa57d89e3530740e9a8bd3d99552fafbab37fe2359ca15fb164ec00a0d37b435eef6

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    6bc2b33255344b6c3f502604d99d9f5f

    SHA1

    c6c38d0a602d8e88ae5ac25b5df72811adf89b3d

    SHA256

    dfa7cbbdce3d5c71892903b21abda51480e1b6aec9f57a66667ebef0abdbcb8f

    SHA512

    f546e05a14d0228688dd0fe61b89920c6c959ce519f077a23e05195c4dc40cb2f24fcb344fd72a0aba73615d5f5dbfe1424e02b45d3a6b0a3d74d563337f5cef

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    8bc88ed5038d432dd5ca3e06f5da05d1

    SHA1

    c819865601fc1159ecda7aa0479c1d8d1c6f5138

    SHA256

    696ad8d69d994ee71a5fbf24282a101ab0e446df0dfeff6852d5a51ca1a35401

    SHA512

    5d61b3e840193b7c021a7a2bedc0e4ab4f4eae0e5165f99b49f805a35e6a949c96f40fb21ab5b41394ba11b5082f249aa90857c3d8d725b1291ecac3188f8f81

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    2.6MB

    MD5

    98c4c820bd3baca28721588ac2a5901a

    SHA1

    ab7ebcbca72e7dbb96e2cf1620d8d3485b813cbe

    SHA256

    30b4d528a66b1950dfd9fdeaa2ca31bb9efd932b409900a326b784c34f6d2202

    SHA512

    21e225558b2aebbd1a7af551d76431ff5ded919cf77397fe6801d819bdcbb89d36b91d0ad5110da49bc5a5994fd2c73a38982090b14e4b758c6c201afad9655b