Overview

overview

7

Static

static

3

8dfaf613a0...3N.exe

windows7-x64

7

8dfaf613a0...3N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dfaf613a0ec7bb97fe69f420557c3124afca335c8c20f094b5f6705c53570d3N.exe

  • Size

    2.6MB

  • MD5

    bdf77c6ad1326c6c41a14448f27f7170

  • SHA1

    4a8ed8ec8af818e535332466fa731c3117358883

  • SHA256

    8dfaf613a0ec7bb97fe69f420557c3124afca335c8c20f094b5f6705c53570d3

  • SHA512

    32f87fddd03d1ecc8aab8409a6802e380b86caed332b1ce04e44bd5a51c0ed3ffda7d884fc444eed499b67ea61a8314a119a477b0ebf30d7c0dff0591cd6b768

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpyb

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dfaf613a0ec7bb97fe69f420557c3124afca335c8c20f094b5f6705c53570d3N.exe
    "C:\Users\Admin\AppData\Local\Temp\8dfaf613a0ec7bb97fe69f420557c3124afca335c8c20f094b5f6705c53570d3N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2508
    • C:\IntelprocW6\abodloc.exe
      C:\IntelprocW6\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocW6\abodloc.exe
    Filesize

    2.6MB

    MD5

    c6a5ac176785da7ac966c4759bba0f51

    SHA1

    e8ec59a418f62c741a0a83ea7f232004e94cf4ee

    SHA256

    832b785b0fb761879b03716dba42c159f44673ed4fa536226b0bc969621d4162

    SHA512

    493428b19e4baaaa5b9aac8a3c09294d4abb0c46daf1f675498cbb716e151381cbc26a839edc5ddabe6f7f0a33f40059df36d7fcf7123376187917be3a999e22

    Download Submit

  • C:\Mint6M\optixec.exe
    Filesize

    2.6MB

    MD5

    3d6be335029ab84df4404f15a454bcb7

    SHA1

    c0754cb1a4b3743ab1cd655810269a62d03c1ad8

    SHA256

    563eb5b4c3199873844f47a30dded2e60508fcc5f355fe778dce185822287328

    SHA512

    b6e25d85dd0bcb46cb1dff291263ed6acb9f77b85530be6b927f05bedb65d647b369f9c901bc58f735f528df13763fc3fa08376efcfdfec3e72411532de2c584

    Download Submit

  • C:\Mint6M\optixec.exe
    Filesize

    2.6MB

    MD5

    7b6a5589cee4e31e69a859aa295e77c2

    SHA1

    111531a36f1d0701c8209ad6f213cfb0d0032289

    SHA256

    f0d81c75585cf9eee4d643e9daa018b9fcac24af84e35cc501b36a910b6e804c

    SHA512

    c97e11b82f457b76c1ee0c08a40c992c38054694dbfc7b15f37514c5f5443aa7f70490699cdeab1d9bde276b4fe41ca9c4baf2700d182b8bfdbf342dd6681b55

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    203B

    MD5

    4d1a96cf93d53c5b27df462064d5672e

    SHA1

    8e5bca048f3e240422225857af44916c5398af5c

    SHA256

    189e10edf4c691b3156d55ebaef7948d882691f8dd4cbe0e6eeedf2440d2f30b

    SHA512

    e46bed4e89de6511395e0df365ac100341fd30b264193ee52713854fbf88446cbf570f352bfae70275d43bc40d73c6721998c191cc3b96d6f7906338e5a05bef

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    171B

    MD5

    cc341c9a82df37159a6f38555325c6c8

    SHA1

    df3866032cc4cb676f7e354a630a4ccd17f4a408

    SHA256

    6db65bee48ea4e2d7df01b0d3e01e9a1269a25a7bb86b4abe493d024e4be8bb0

    SHA512

    20b44bd208b0d32d4d20ab208b9e37ac2d8c05e7315cee622da0388e0774e44417c4d8af6974ed936ce9f55496e4bde5670be6bcf48ea1a6687bd4d004c1d7ef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
    Filesize

    2.6MB

    MD5

    a837963dd08631df7870c75bb4d118c4

    SHA1

    05f07f67bb1311dabbb02554fe9628f28ccd673a

    SHA256

    c77c3663c751304da67d2a9d8c6edd347bebe00aa7dd80d6dd191f7cd167956e

    SHA512

    b6d1be938ef256b69e9916a53f3cbf9b5578878029fec47fbaf20a42f02e6d0c9e5831d782202010dc726ef788bb70daca682a2e6540708b4d363ff6537844df

    Download Submit