Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 16:37

General

  • Target

    855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe

  • Size

    2.6MB

  • MD5

    5955894ce47de5b99b03d90389b59250

  • SHA1

    c73c95d66795c9c24135a35dbac3fb33fad06291

  • SHA256

    855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbc

  • SHA512

    3b23ff5f5fc766835c7145394677e31440a716b9e4bd6ac1d2f68e2c1eaed2cfb12fac5c1e6e64dd5aa5b15cdb1a4c3b27eebf2d90728a8008be5cf38080d571

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpmb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
    "C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2320
    • C:\IntelprocC3\aoptisys.exe
      C:\IntelprocC3\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocC3\aoptisys.exe

    Filesize

    2.6MB

    MD5

    331e23406f1e0a6b7953ee820c5347cc

    SHA1

    aed20833d129eedaa1ea57146894937875b3fe17

    SHA256

    89f05efdff8a4bfa6308686804b41e1688d185796370df4800fdf3d68ed58430

    SHA512

    93aafe1886edecfe4384139c9081343e394724e64a0179a343258888b32d69ccb742e994f46a4af632315cefa9327be610a5589472e14ea4672a6230b28dca9c

  • C:\KaVBLS\dobxec.exe

    Filesize

    2.6MB

    MD5

    e065cfacb9ce96e72181f3d3c098c649

    SHA1

    233c392fc02824104567d3574167b5103bc78f48

    SHA256

    0dda325d7359c97bee32c9aba78a9f896e73a170dad600451b0167aea077c1cc

    SHA512

    63a95ac78083313eaf995e3073b1d76dfa1a9838d4bfdcc834ba03358b2b841e9e640fded058ae6efcc9d31692d5aef1afd1dccc3354975410c04b90c21d4a1c

  • C:\KaVBLS\dobxec.exe

    Filesize

    2.6MB

    MD5

    fc3f560ba33de3dde98fec3d148ad456

    SHA1

    583f98f88865af58a7c91182c77a04aaf3504d68

    SHA256

    080e04dc80c52bb33f7ccbffe0422838f6fef169a313553be025e784c98d2c02

    SHA512

    fb7938d634f2eb9dec407684f26e7b7104c5576f583476496fca8a3f761d4c458f405124448c41f32522bb0744667b7a72bd5f065fe21343639f0d8744afc982

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    5c45561aafeed9d102057ff1eaa71204

    SHA1

    0504ddf5770340c411c47eb950918102cd6a7bb2

    SHA256

    e1685284d4f6a26f72fd86358225398be8938b49f6eaf6ae09d8901c4c1689f3

    SHA512

    2d955ba406708f81bd3f9aae74535df256648f6e39820a4c945f6a0fc2d0e51e9b275cf3ba57a57886d515fedc8c52290567ee6aa6b0c514f22aadab338e727b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    d65abb649d8b4eaf5b54674c20ae74ba

    SHA1

    deeb6e66b960834d4631e3f39d3f0ab52d06229c

    SHA256

    496c7afe025e43f79b3b986c02962c3da212bf7ff180971c53054dcbf2da941e

    SHA512

    535e1f8a0394e58ef84691d9f1e0ff35d694caa6879ea188412622e519259bd639189c4681154528448ddb77f1ba12af2b305e5b6a43702d7c24e3e75885e27a

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    ea9ff6ce5e937ec7db51cd811d75fe02

    SHA1

    ca839344255afa489f36b37d04d40fddcb70040b

    SHA256

    5165801607e39a7e3b3f84b110400f614eaa2622de90cc539798a861188ce65c

    SHA512

    dc2335cc5d82b88bbb2170b8e5cd49de094cabb11bec84e56428b0b135155b44138faf2dc1df516c107db5799061003ebf86abfc26d6f8b6fa3ae0d83826d5c9