Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:37

General

  • Target

    df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe

  • Size

    2.6MB

  • MD5

    c34c3c696612aa793e3357bb84d187e0

  • SHA1

    37a84a246d37673a35e4ffd90003308bd45c7c7d

  • SHA256

    df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4

  • SHA512

    d5e0f513da5d4c6e850e2f90ab7116061cd9a0a113981905c15ca4623cbe3023a8511dd944440d9e78ad91ed45ce39d30acd7347dc26d8b031505eb19f8f62ac

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpIb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
    "C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2276
    • C:\AdobeME\xdobsys.exe
      C:\AdobeME\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeME\xdobsys.exe

    Filesize

    2.6MB

    MD5

    69dee9b0499519eb49a78f78c6ffd5d9

    SHA1

    59edd61b2d48db78a1c15102ae134e8efa60f37a

    SHA256

    7fd98ab0bd7b37193b7daf6fd688f554195547124f7cb5bdee95cb9709fc88fe

    SHA512

    218cf1d5b63edac196b431c1498d31f6a942dd0da8ca0eb3a8146f35759b2a11b41c56bf51e5eeca24584af5c08f12d8aa079e9bca4bc18ce2863fa18d9792b6

  • C:\LabZWA\optidevsys.exe

    Filesize

    2.6MB

    MD5

    1575cfb4f611d2785a974b7170114e7d

    SHA1

    350d5d3135fb1c2ac32c52812ea3202f298dd9ac

    SHA256

    4d9c304ed16316b6dcc75f053392cb37eac472bcd86bf9cfd86129c5aade1eca

    SHA512

    46449ee439d1be25f7faf459f220b885218c504bd8494d9e2fb274225f98bbffe1a420186388f7a5ed037e9954a8c7c3cdb6793ccaeeaf448c541391e090bb37

  • C:\LabZWA\optidevsys.exe

    Filesize

    2.6MB

    MD5

    883b5aba3589da711279e73b00e6a253

    SHA1

    0d51181257eae531f9d61ef1ac1a3e8b92a9b611

    SHA256

    f54909b6f2c4b2f8247629452d31fd68550375dc0fa6484c899dc46e26afeb43

    SHA512

    1d9490015d640e63bab6d48722cabd2db524f6d87c2378b83cd314d6193113ab8577463ef25bf46adac4ac446ce2f4e834be62c3ca6df361d21b3eeb5269d551

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    3d1469a357d788b44132488f5bd36995

    SHA1

    6b5efe735b5e3aea4dc28bbc8bcd73dc6bdae3b1

    SHA256

    6d9544e1a5e1103c69a1182712759b4e0d5fbe45252d7714754e31a9294ce154

    SHA512

    06fbe473ea090dcd2cfad9dd3be2dc103a4d9fe978215b127a4464e4d46c1811f4f934992e83f8e15d252022b1c76f2757c14e6a3fea3153a27237bdb3605ea5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    45d30f1d988caae27135b5e45e18eb29

    SHA1

    a640fb336e0498eb66b4b58fb22e3b8a48dfdc56

    SHA256

    819e1fe703ba024f672dbf2e6b164ca0cdcfff7604d35ce62239aa5b3917c822

    SHA512

    e0eda8155aa264c87891b1fdaf0cb1ee8150e6f323ca81cf42785d434b3f1291137b7fd69691e52fb6993356a6911c32bc3ba1c2240a058bde58ef48f65ae38f

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    2.6MB

    MD5

    3c3e3a5b6bd052d4bcf1561f6a194148

    SHA1

    1a4be5cee2f4ec045a11d475f46dcf103ddc595a

    SHA256

    4efdfe152139003f07a30de795b0e76e3699a5b332ed3aa6bf187b95c655bae8

    SHA512

    9ba397e8b9f32312f93cfe44319345a238357faefe273dc081a40fb900098581daac834243bc00b15f0ebcc7c115d8a365f92408ca639569be3555e041b025c2