Analysis

  • max time kernel
    120s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 14:18

General

  • Target

    a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe

  • Size

    2.6MB

  • MD5

    17bd71999c3667dfe3464ed87b0aec40

  • SHA1

    fb31deedb3f4a7c27e38ba54c023e1c18fc8979a

  • SHA256

    a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170

  • SHA512

    5e8117c8ebbdf6954a3d7ae066daa7d4287686b02a65160fe61a1ce3ab24333463addf8218d64a01700473b2562fd203a5e1b2f90d469572427cdb38129c1d10

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUpZb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
    "C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:896
    • C:\IntelprocMZ\adobloc.exe
      C:\IntelprocMZ\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:532

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocMZ\adobloc.exe

          Filesize

          1.0MB

          MD5

          cf44ee1af43640718ed150e7f550dcda

          SHA1

          09b3ebc9c3af14cb9dd9817be039272c96d58147

          SHA256

          84aad92648f090d03e417dcbbceb68f35c460def6a6d600d297b57b9a88d51f8

          SHA512

          7e5d1a79a324f6e678930cce2a81e74d75bc373a5fe7f3053a3729884be74723217be5b2a239ea11883215fa080b8ec582673f822fa21f962b4b7bebdc4178df

        • C:\IntelprocMZ\adobloc.exe

          Filesize

          2.6MB

          MD5

          64d0ad248163ccb0994bdeadd0482bc3

          SHA1

          a21e35819cc06d62a9a01a0f921a3d413968206e

          SHA256

          d3ba4d0bf1b1f4f5d5b13949d63f534000b1f49c5c591ecb36d0191667177c9d

          SHA512

          731664ed03b81edb24640249a25e43c3d1e2e7af68a3fcf6f5b5259c2d4f9c55220b735c71a51d813f2305b06a23345149acdc5d7d7cdfba5cf9a34d31bd54ff

        • C:\KaVBU6\dobxsys.exe

          Filesize

          2.6MB

          MD5

          0f2c60d681ff6af2886a801e6abed029

          SHA1

          54ae15d55b80bdc2c6046caef21c109e679f4656

          SHA256

          7e6683b502b796d839615ced588115a6282dbc5ff7775edae49a56423af5b6f3

          SHA512

          f35b83d48379b7d75b0b8b4411d5bb288a2caf827cf2d898ba55f2e51288c14fd2ca2dfdcd06d5d459f53efd684801fdd14c59879b62f806ad96346d470db61a

        • C:\KaVBU6\dobxsys.exe

          Filesize

          2.6MB

          MD5

          f0c1bb84a17da5414f29688a73e29939

          SHA1

          6bf36d583f661e65639b604ae41fb04d5cde42d7

          SHA256

          5fd2e333bad448c5d4c79a3d9914a8419aa85adf3e88bd59279e4e4854ab7f14

          SHA512

          1e0f781c177585da78013dc54259d995762e7a63afed2e25171be5745692fdab4f4cd6fed53f1f9cacb260b269e29323ef5a6f4b5f7be322fd83f4080d5ffc23

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          e5dafea2155ae91d8de8aff6608cc96b

          SHA1

          8cab31bb83b4655d3e7ca36ec2c53ca4c2555d8c

          SHA256

          816d941aa1da3f1836fe7042b2519dad2250dda1f506f5980d5b8fb5ed3a1c65

          SHA512

          5ecf2e80ee97f8fe58e3cf4cb76c274116da53275e0624c741c7c9e8b405002847fbbf1ff0e05cdab42072c9d4092900cd67db5195bfc7c67ae984f3ef87f661

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          eaae9842f6630a4318172d4c3617f9b1

          SHA1

          ae7f40df7d36e922f11f78dfa7228b32f1d2c2ec

          SHA256

          b4f6a3cd039f93f1caa10942d20928d0b35b3a08e76fa4b233590458c82867c4

          SHA512

          f111cc3551cc71751f6c5a053be942731f65ab18f78a4f054fd9be761aa0916b77e0eaa715a266f61583e7ec2fdd2660065ef5e818d5063eadf901c971e0178d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

          Filesize

          2.6MB

          MD5

          0a6e07db315c24acce35f0a75d9ddda4

          SHA1

          93e347386406bb80a2c28e97a955f56d9543998e

          SHA256

          0bfdc65374ae2d49639779ce2a1baf6fb9a45b5c223377935c4457021499e21c

          SHA512

          550d63246a31daea4f56ef05d3ecbc41512ab127f1b23fdc9c7b143b2e497f47f9cbd299f1923cd8565e1ccbaa59228f73846143daa426efb300f259e0db4111