Overview

overview

9

Static

static

3

98df592974...9a.exe

windows7-x64

9

98df592974...9a.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe

  • Size

    2.6MB

  • MD5

    37862b8d08be0d8b3e5c24bf546f045e

  • SHA1

    94586846c58c3ea3fc036e050b151f90617dfe8b

  • SHA256

    98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a

  • SHA512

    917229846f2fc8b109356f66d58915694288001d86eef6243f82c2ceea42cb7764d4e3f9cba0f33cfa13d5b67f00a08642d4ca800e151636bb35c00aa02bb583

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUpDb

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe
    "C:\Users\Admin\AppData\Local\Temp\98df5929746b5a9843f8f1396506f6033b30a4267a65523c62d5ead0189bfc9a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\UserDotKX\aoptiloc.exe
      C:\UserDotKX\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax79\dobdevloc.exe
    Filesize

    2.6MB

    MD5

    2db3716a2b90d8377bd721d454bcdfd9

    SHA1

    e5b2d463a9734f715123186cb56d97748f5dc7da

    SHA256

    715b8be4424c619ec4518bb7ce84412f35ca35c437f154db701f1f4dc92af2ec

    SHA512

    64e6fbae90b25cc351c9220f38ac64090b7bea34788dc37c372b5e08cc8d4337e73bdf79445adb368e911df2e5add79385065f85dfb9e224aae00b1eac25f358

    Download Submit

  • C:\Galax79\dobdevloc.exe
    Filesize

    2.6MB

    MD5

    62333dcb78476ee8786976d87e489ec7

    SHA1

    2368bfc847f8734302402c0984c414f4fa605467

    SHA256

    9b51c271712d5d74eca2673d6e4fe1acdabfa9691429e56b6e3d44e6202a1df1

    SHA512

    9ae26d7306a093476d79d966d53db06795218f3793d92e92d1299dcebcefb3618c9b7650522c9e2aeac56f3f9d116a357f0f0083dea473c76f976ea0a22a517b

    Download Submit

  • C:\UserDotKX\aoptiloc.exe
    Filesize

    2.6MB

    MD5

    0249f6d69f112ac680118a390474adef

    SHA1

    03789f9cd623938f2e354205c941bed153f4980f

    SHA256

    fe921cdc439719fc15883ddc6d3620eb2b4ff0ba4ece3b7cd9479edbf10dc353

    SHA512

    f04858e98df0d73b971f0f9f7ff8d41db7248ba34bc03dbd0cfa8f6df13b13bc3b8e8957000f07fbcb38290216890bd617c6c400b4975b64362aea066de7d485

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    173B

    MD5

    8de56e3084b319e60375c98a48d35255

    SHA1

    489afc4b54c0cebc278be75e585c96b0bb12fa37

    SHA256

    a77aa2272ef5346894709f0962416ebe93a333750058abcf55e0361cd24a0795

    SHA512

    4af348243859c8dfc5c5771a2ebc4177be342c1b165449e67073bb0772ed182dea2d749ca990ee499510f2578a503f03b18942d93b8a98c9119a4ef22e43e5f9

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    205B

    MD5

    13a3002b549f24c72a8de82caeb82208

    SHA1

    e42071a3f40101fba0b6582fe5bebf6deaf3b16b

    SHA256

    c7ad077dc1f9f623d497a046066abbdfee97c10fef7bc5c20db1e9e9a9a69640

    SHA512

    ac0450086b0cf9531f0eda97710635078937c10ae98a3becb7a841a5d6f5dc9999cba8e7a665ec59b24764dec276a61a59084786250cfb217c2fad340ab7f8e7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
    Filesize

    2.6MB

    MD5

    f4cac399ef9e4de7d660be52b1ae91dc

    SHA1

    82b03058dafcf3178759d47ed9f6fd1f50ed3f46

    SHA256

    de47db18c809c4d68266e6d94011bb3fa4d7536a1079fc7e322dc94f38e51f7c

    SHA512

    319be7bdbf1d1666e5f12b580efe1c9114793c79a9c3639bb4dac18a3097ddd05c944534df73ae1e3f7c09a19662da7b09555f882816fd67d7f7c6770ea4a936

    Download Submit