Analysis

  • max time kernel
    119s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 17:32

General

  • Target

    e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe

  • Size

    2.6MB

  • MD5

    5cfb5045a8a94b4b6c681757807af2b0

  • SHA1

    3cbf6a14a1ba6433233a88202d6db47b3bda51ae

  • SHA256

    e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086

  • SHA512

    78fb6a66d74c148586c47eef9db5a508d7997ce2ca464ed59a4954ca6b3a377b77c2fb2e7bf30cf53ec0460f86647c4ff85284d26c5940628388fdb1ff8b8d91

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpNb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
    "C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4984
    • C:\AdobeYI\adobsys.exe
      C:\AdobeYI\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeYI\adobsys.exe

    Filesize

    2.6MB

    MD5

    3b477f47d6f8caae63a2f1c0e85f7b79

    SHA1

    59740ad26bb9ebd29de1715af29c6e0317487548

    SHA256

    8e142bb68730f5c875b94e32473b39e19e14f4227f4bd7f021c828cb35d3ba83

    SHA512

    918f34b88392f206d1687e5b36c36dd7c1ec104584b2f9178ab7bcdc0d836d492ad73d35955bfe0d57dcbcb6e3a9f99d792e44ab725f6cb574ecce707544203a

  • C:\GalaxUX\boddevsys.exe

    Filesize

    2.6MB

    MD5

    aebf8df897bafdbe1f72d99c04455d6a

    SHA1

    bcd783466be3431826b1facb65fa864dc5d421aa

    SHA256

    7ca99160fbf28242ac1b0bed1e7943d0908b4136bd44c90c3808f7917f08889a

    SHA512

    8346123c8c1e4a03eb33603be70dfa40fe2b3ba07d3d322957baafd8a589f01bde554dac4bd75613e848f1ac75ce2c58c0b7450f42b9753247f77108b42e6ad2

  • C:\GalaxUX\boddevsys.exe

    Filesize

    1.5MB

    MD5

    07e82883123d9ae3b4eecb5436022666

    SHA1

    dbd61f5489aa9f265ca77e722d635355454a5be4

    SHA256

    8e5d401c2f1b04884c96364431b71d14505abfa208b2cca4db7f24d361979cbb

    SHA512

    358c24f77c4eb1a2aa5bfd2f57e3717742260192b0a74bf2108a2bb5be3c35d6da8d84094d986d4bf54d9469e534e76fb279adec99eddfe36503540e8f63d85a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    35cb595ff132c2620534fe2d0f922403

    SHA1

    92557fe2e37c4f4235950280de0839e24ad5efe5

    SHA256

    8b01800fcd266baf75449dda633816e6394ee492e4169fd0515d80e841a81066

    SHA512

    f0a79fddb91f24e6ca71d8c41bd9a97bc2919f06b26c2c3368ad8dcdcdd6d1d50d1427816ff2e0fc2f62c095b2005d1305810edc15dfbc9d9f1182c4eba78bc9

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    ddd2b10a801d372777871bec50651938

    SHA1

    01a53ae378e5598b8597fb7e7cb74de2112139ab

    SHA256

    cd79ff5dbc003fada298a1945f2ef4ef5f116914d35fbc2a3e176cae7634bf42

    SHA512

    877d5db152870802bc9a73fc6f467f6b7d766828dbec1fc0cddfedde93a5166535bdc6e71993c4a1bcb6eff66c3bd2be44820faa5131b60036f30abf3112dc2b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

    Filesize

    2.6MB

    MD5

    4149536b9227b4e02071b94770952886

    SHA1

    f0747b7cb9dcebfc33d3296adef5cc7fc13fcd16

    SHA256

    0d792e71e221e578973ce197c73ae0de2b299be676e03ad91d65ce9552f984e1

    SHA512

    11d17e20e2d8e7074be4a84e7bda0cbc8f48872f68ed36855d3ac8138c449077831691bee28a3e130c89d01fcf2199b49d6fa1a1cdf4f79e82d7f8af45f1fa75