Overview

overview

7

Static

static

3

ac816371b8...fN.exe

windows7-x64

7

ac816371b8...fN.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 07:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ac816371b8eb20fb8b1fae8a48889d064e491f621fa0b98893bacdd66445dbbfN.exe

  • Size

    2.6MB

  • MD5

    f70afdb088a31baad8e8fbeb18e45a60

  • SHA1

    35bbb0655db6380710cccef7f96be452d895ce30

  • SHA256

    ac816371b8eb20fb8b1fae8a48889d064e491f621fa0b98893bacdd66445dbbf

  • SHA512

    a0e1e38a7f38751a400a4012ad403d656fc1c134f687fcdddf55e33350cd09429a4c7c6061981d42f6517156473fc498e2e04c3a24743df332b8d947ca1d5194

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac816371b8eb20fb8b1fae8a48889d064e491f621fa0b98893bacdd66445dbbfN.exe
    "C:\Users\Admin\AppData\Local\Temp\ac816371b8eb20fb8b1fae8a48889d064e491f621fa0b98893bacdd66445dbbfN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:532
    • C:\SysDrv5T\adobloc.exe
      C:\SysDrv5T\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3380

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB0T\optialoc.exe
          Filesize

          1.2MB

          MD5

          2e05f127ee18099a42240cbfdecd6328

          SHA1

          ae39618bbe180159dea3a0332a9a6e7e88ff8acf

          SHA256

          f71802893d99df605ef0621a597ef414f2de7c7078c5b4823a65e801643d19cc

          SHA512

          86cae2dbe4041d6f0a5bd61e193b571bea289a0aaff36e4c0f41304a8ab33744839831aea0551218c24daaec4830168f3774169e42f2168b0fc42d1f2cfc7992

          Download Submit

        • C:\KaVB0T\optialoc.exe
          Filesize

          2.6MB

          MD5

          aa247f704a394f71804b475e7d096a80

          SHA1

          b4eb31866e50095417a0be04395a14b98da86d89

          SHA256

          e95cc35a22cca76dbc0e1193c2891deedb68b5cf4bd5d3345bcc7d338aa6f0d6

          SHA512

          0fc7f1d7c75cce057428f30dba67748af832daeef294325e31a0f3d009e79d311d9678c72733d392467c8ec4b42401ff7116612d2ec087a39f3613ddb9d6ca4f

          Download Submit

        • C:\SysDrv5T\adobloc.exe
          Filesize

          2.6MB

          MD5

          7a05a282d3a8e1c8bb501a57b3f0c844

          SHA1

          ac0eff0ef288419b7d5af14c26b7467e39d88dd6

          SHA256

          a5b14af8c2d0eb4aeef6ebd3ce36a2e0f822fc1ede606e2ab82c204ccf2e131e

          SHA512

          4ebac9a8266c26e35c07035e4a6d98cfc6c13c3460a8fb27aed2a4564c6404bb9101210f42ce1d70edbb984e17644e0368f3437a48a713a3189dce598b22e028

          Download Submit

        • C:\Users\Admin\253086396416_10.0_Admin.ini
          Filesize

          202B

          MD5

          3a0956a1f5c826f1ba01241048ff95e4

          SHA1

          743bc1ce8fab36d3a79bb2711b3bd3d3ec950275

          SHA256

          0e390e5fcdc29b203dbaaec12a04617cd5690740179124565e2a052fb2a46e1d

          SHA512

          7c2deceabb3461f6609b4096d1cd593e1bdc4aeee3e91937b7c22119a0dc3b13d10a94765a0309bd84fb4829c86c91c7c64376be5e7cf792c4c15a502d4005b0

          Download Submit

        • C:\Users\Admin\253086396416_10.0_Admin.ini
          Filesize

          170B

          MD5

          ad327e4fbce91368309345b046189154

          SHA1

          4def91b1c7ea48e3f19c152e780ae311816e43d3

          SHA256

          489e71203f42d42495d77d4ce012f3fe96d1aec16fecd1b2ca26b9b22d04ae18

          SHA512

          5f9286c0aff0f7842792e971f6161b0984e6493e68a2ccc7e6a44c0a14fc142a4304d5cff0a1ce90551ff5f839609cf6990d031664fafb63f1e049585cf1b612

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
          Filesize

          2.6MB

          MD5

          8687930ea3ac603c0db7bc0eb59d3605

          SHA1

          a2aed32317cd26ef447be0cd426cdbc0ae447dce

          SHA256

          8a97484bd1ded0db82dfe67f58724135740ca40ea4e13e3bd6cd5a6a2e501210

          SHA512

          4af2f079f41b6f8b364918efac813eeb4f63b4a02cc93b275452b4edb6dd45222e2df0f8b24735e2f09bf10c35bbac165d19c3d69b4e753537036c69212177f1

          Download Submit