Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 23:11

General

  • Target

    ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe

  • Size

    2.6MB

  • MD5

    e2c915908dc344b7f41f097704185160

  • SHA1

    3302b95b46ed698840f8a7900f470e6a372cc399

  • SHA256

    ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6

  • SHA512

    35c58c22505af10c0197bda4782d062eb2a4188595b2fef1fbe08050667e625c144526f19ea3176ed819e8b85ab4421c5da6dea877dca137f839311a58701ee9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUp0b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2148
    • C:\Adobe1I\adobloc.exe
      C:\Adobe1I\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1628

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe1I\adobloc.exe

          Filesize

          2.6MB

          MD5

          150c7220a6e81d003e665376d6160a17

          SHA1

          a12bee8eb2ec75a11dfb469be652439a0c983f07

          SHA256

          da993f3470b38a98679d932982d207e26687be77e86df6d9dd90dca50bf6b30c

          SHA512

          a53d6106c250cefd6c16bd77d9793e38eebeb101378e9a6ad23f7ce33f47255e93921d82b8ed75a59f39b643ecc10db460b148f267704b7b5855ba18d2a18d44

        • C:\GalaxX4\boddevec.exe

          Filesize

          2.6MB

          MD5

          b6592563985d86e01142ba780f684a8b

          SHA1

          f1c2c8931d00b3e75c1a3f4cc0e3730d17c2d43b

          SHA256

          bca35dade0b17ba7f80d613c5c01671f4841a871b3d571d491ec1cc258d07c41

          SHA512

          2e01fb506808d9bec50accf3688e38da3c4c16c3e8091cb302823f3118190c865cc37299ccab28c88b449da7f74a1814ad77b1f8456a4ffbbd60fc6bbaec224a

        • C:\GalaxX4\boddevec.exe

          Filesize

          2.6MB

          MD5

          52852db9260eff5578ddf35ac7285268

          SHA1

          0f12795c06ad7b9c939290975896c7c2054c7bb9

          SHA256

          0984926d9ed8488d10b2fb112c1cd8206360fb163636848be84956eea86a0762

          SHA512

          d7f6ac56795c7f40a62bdf2f4bb78ca200c1de6a6793d17811a7c0f582a6905b314b735aca90f9efb9bb11ae3b08d8a223f9d0b97432c4fbe0f689c0a786a6f9

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          85e39321c47d7405f7efbb1eb1fe96d8

          SHA1

          d5ab705c5ed9f7c080f300ad3a143a2a05dc0dd6

          SHA256

          0a0de5433fe2fbab278830783e189310bdff7211305330396422a6fa5194c24f

          SHA512

          ddd9c87c296f520f652a18bc225507a6c9c6d6e7a9019c2a5840ff9c958a992362bdd3f23e48ec11b254e694f619001f71aadaf62fe1f82bb207b2c09e5d29eb

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          a4ad12ebe5ed13752c79b9a8de878f68

          SHA1

          2546f6b4c3fa9e532dd4a2b75f8a77859ce00dcc

          SHA256

          df7d3e438566cf022ba4ba3c72ba8ec7a8010a6ca6989232c6d986c226e41d37

          SHA512

          90916aa06daf0a0d57e26a0cd2445aece43c768e46aff00a7791d29489bc1c5b54b30d2930ad3e52cc6a4f0337fe973094d42bb50549aa95b1214ba0c0fa7139

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          2.6MB

          MD5

          c91d32c42c1ba68a9e1ec9950ffd6107

          SHA1

          964d0e05b51537a269bc50e66f2fcdfbe71c2a4e

          SHA256

          cd594a342ca657f1e8758c03c742dcbdf9312259a60787e9f3d51d3a4b1d7b5e

          SHA512

          3262b9cba35a1f0e11889f34a08fcbb0503461d6b3ef1f155a61b2112e74180cc259208f1011ad124b248a97a73658ac3be2e571130059834655379d67dd9c8d