Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:30

General

  • Target

    be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe

  • Size

    2.6MB

  • MD5

    accf34785eae1f5727b18983b01c38b0

  • SHA1

    462a1bb16c7eb99319f254eb1df1e852b2ebfeb5

  • SHA256

    be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7

  • SHA512

    072ea1f8d38c649328231e4310b1bcaf70734ae58033121d9acc751a774777926acc22e50cdae20eb48463f347669cd96649f691fedb001cbfef6bec971b7da8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpUb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
    "C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2344
    • C:\AdobeGM\devbodloc.exe
      C:\AdobeGM\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2496

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeGM\devbodloc.exe

          Filesize

          2.6MB

          MD5

          d5b3a7c4dd81660c7ba05234812498e5

          SHA1

          4122a8dfa3c5dd571ce3a167bb324dfad086be43

          SHA256

          31f0744041b0a484a746cbc631e9ec9dc06593a936c6e7d125739c87a478b3b1

          SHA512

          149f1d0ccb641d0b29d642a701e63b39468860717f36ab124d87f6f6b63bf1e178071d0e04e4a782ad600aeec02d9bd811f94b188cbab1e92d8390239874f13b

        • C:\KaVB8Q\boddevec.exe

          Filesize

          2.6MB

          MD5

          85f1412a33b81decd52d503a61939ceb

          SHA1

          f0063ebc9de0ca0b995bb7c3e560476ce75c92d8

          SHA256

          1eb54b8b123284561b91f692dfda188447a7ec1a9b224a6202cb899725c10df2

          SHA512

          a997c3afd6a06172755778473d3090f830099dbe8205f9fbb5aa55459356544a4f1e04e2047113c173151ca7fe2e86f8efaf12ca8e2810d80c3090c724ddc3e3

        • C:\KaVB8Q\boddevec.exe

          Filesize

          2.6MB

          MD5

          5a8a731bdaed01719111732a65c1eb31

          SHA1

          0c0ce22506530dfdf7cb3efc00ed2036e3269b33

          SHA256

          bfdcc8032c4bb14a70ab977e0ae8ea968a5f9cbffa6fee00fb8a5fb561446132

          SHA512

          53c59f105651f83da0e2092f74527b019603b362a1efcc7296703fa0dcff7b0257fdcc358533a60cb6a29a5066d33539c19ecbbc415743be34be89d3225af4dd

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          172B

          MD5

          aa9a44e7b934977f1be0edd92371b2f6

          SHA1

          ba2e8c774a0ef9072f954a3c6b84e757bac73563

          SHA256

          515b38afdb76005f15622548f2d093a0ccfbdaf086ed5b6e5cf6a15682f9820b

          SHA512

          94b434a59c2973c446fc359d162973ae3667dc0903cd3b73ad0fe6a1b6884bf3cd014c7397d7345255094ce69610d7e4f606f11e2a904d1e839d8eecc69d7eda

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          204B

          MD5

          0738ee3f61ca8e684201eb10c691af43

          SHA1

          ecdefeaebcceca2948e24f1f75aeabe6d3b438a3

          SHA256

          587e9e7f053da2ff2cea8caac32d76e514b78c6471d4424a85e7d123b839bce0

          SHA512

          b9f23ca87537887a9640029ba3e373fe0f6c3d6cfa45494e2e605b56bedd596de311cde9f7c6b00d8385b14d91857a95937202d6b3e2f87502c257c809e9c1bf

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          2.6MB

          MD5

          0c04ddc916e56126549e98c28d75db86

          SHA1

          edd8072f7580ffe88dfdf8d39ea732f5e1abf31a

          SHA256

          f82a403dce3e47e028685958032fa47c82c550c3555c82a2d346c05afc690727

          SHA512

          9d1031662c570779538489427420521305d31b42b555637e24af0b333e5d297aef7d254682e4e85c6262a48c74bf2970d1a57aa80d46eb4b45f369c1a58cd88f