Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 23:17

General

  • Target

    4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe

  • Size

    2.6MB

  • MD5

    09e59590edcd3f5696701d395b57e4c0

  • SHA1

    106854f79a73f5e62022a9545d7b4fb7b244012d

  • SHA256

    4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41a

  • SHA512

    e2ec36ecfd6e3aa6be9f50526498e4505f2ea05763750074edbe3b66e9add55d0dd958c04d46b8f1c324e9e358c4c4a885dba0db023061f062661f255ea9b4b6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpXb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
    "C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2060
    • C:\AdobeNC\aoptiloc.exe
      C:\AdobeNC\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2352

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeNC\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          13b09ec264017a6746855080acb54b38

          SHA1

          493183de9a35747d99796797521c6e53c4457519

          SHA256

          40f40619be4e9e9002b327ace01e72ae13b1271e2d07369c003d327216959092

          SHA512

          78c4c913e591cda1aa36ddac15d2432654a00d245d5189f1e4ccb7e2ac5b0974815aec8d723e47900fdb3a5e30f9e6b8182043605d7452023d45f26aa5606416

        • C:\MintW4\optialoc.exe

          Filesize

          2.6MB

          MD5

          9c572b0d02ba45d4cbdf9bb8de22ba14

          SHA1

          9a75ed5e18941b3c42578754a1077f61bc475be2

          SHA256

          2d84cfe1d9a5cdc0a99504f086d21682e81cb480de8f2355428d3bd43361b39b

          SHA512

          871addf24fc3c2c14d24c00844bdc24f088b6d418995e97a3e7dc3a421a53b7b7684f256d397698b71264ed94a5abec9252cd2683453a96cd7907c2af90796a8

        • C:\MintW4\optialoc.exe

          Filesize

          9KB

          MD5

          069c7d5ebc20ead441519fc2807acdfc

          SHA1

          94eb49acfddc6450c4810d85271299b49f964a2a

          SHA256

          af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f

          SHA512

          91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          249fcf756fb182764352b3dedbfbd9bf

          SHA1

          f518f570ed08664eb37adc49e57eade25a8a5538

          SHA256

          1db47da37f726d385c223a22bdae37178ddf868511909907116f3f84bfa34f93

          SHA512

          80cf3c8d265aa529f5cc4197c1d6f16719a6464c5f46897bdb101954ab50c3a0fe004d45fa4b8508aaa615667dcca7cb7efe38144881d19b92ba7f4ff4f1ab90

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          f0a65ae704b67c221eab61ba1a5f653b

          SHA1

          8cf6801e8aed1cf79d1615c310da06bbf43a70ac

          SHA256

          053a36e58251bf9006bf4bae29af28361d3e934ca3c70a528674e4e61d0bf631

          SHA512

          31d8d94e7ab3e3707c0c03796bd89314ed71102266fd41b7e730b5eb393b31c05bd94037df3d80871614a92f5663c41a9239d6fbe290b917e2113071cb9916ce

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          c8d9ac54abb6fcc2947f37a2be0d5d45

          SHA1

          fb02f3f168868abfab5debe1db540a4abcc9f96f

          SHA256

          ecb269550a4b84adb3a56ad57ad57ca565cfa787cd400b656d1905dd9b002807

          SHA512

          3e2476727aa7377adb129ef41a6cfe9d6bd008a2191843dc5feba8d6d266608e35bf334072a34cbea5900eebb8b6901cf1c519c8d20ddcfc21c42723c69403eb