Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:31

General

  • Target

    5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe

  • Size

    2.6MB

  • MD5

    67021d50d2ef7b5d6af33d2f6d9d4990

  • SHA1

    96cdb395a603e4418ebdac4275e2eeea03d242e0

  • SHA256

    5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2

  • SHA512

    cf1b7e39de9b65e8a3a99f88bda660b15ea1b85176fbb6aaa9a36db83ed7b319427e310c0d103b6fec7c3668d989c21c3cf22c793d15cc44aff31668a5bbe1fe

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1144
    • C:\AdobeIJ\abodsys.exe
      C:\AdobeIJ\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2720

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeIJ\abodsys.exe

          Filesize

          2.6MB

          MD5

          0407f06098d6a9dad3830dcd9d1839d2

          SHA1

          cdd5dc1352c2b1efd29d19ee5832cbe5f99374a6

          SHA256

          07fc5974f0c21868898ce347f3e7392b8cc00e6f5a6e89432462ebea46f39ecc

          SHA512

          97a51c1cc5669cb49736f7a72525b5807eaabc014bd54859f6bbfcb3fcd7b50f79abcaaf222d41fae5aa256a18a452af56799ba893664b62aec50530b2ffbb44

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          ec23fd78a0ff407a5424d43ac152b3db

          SHA1

          9c1139e7be79ad3ba98cc84710a2780c9770292a

          SHA256

          ec7e5c059b5df06d5385bee862c365bc7ae5e5b1f873e099b9073675af639711

          SHA512

          287770f1023c989a9dfec272602153729c936789a36e8a2ce792d32e0088b9ac4d32bd8524d94915030c6b06b2dbe137fb88d2d8145cb8184189b9ed6a158be7

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          e4b0a200b6d697eca857e2ba41547062

          SHA1

          8ea6b02866d1c2d63bace93665a99e0efa6407ed

          SHA256

          c47f0f603207962bfe07dda571a90d318b65a87f53a5815589896aac1ffd50e5

          SHA512

          c56439f7e8f0f2ea50016a55fb088e56aa565bfb81fce8b9c6129f8def1bdc301fc74819c9a73804a450ad24479c51fe2aee5e05efd3ceecb95f174c4e86ddef

        • C:\VidH3\dobasys.exe

          Filesize

          2.6MB

          MD5

          b6d8bb080ffc30e8bc4c2a14f4d227dc

          SHA1

          5fb48f98295a1738289f3d7c467c4249aa3a1271

          SHA256

          a2c14847e80126752a6d847148d6c8f246e994464a824c7e83c6d638d6270771

          SHA512

          c31901974c58016fa55358e9ae39923f83471648b6a1ff18c3e18e8ad65814dd9f0eb4220c716f14fe95268c09104a7e91e947a391d740e353024956dd951432

        • C:\VidH3\dobasys.exe

          Filesize

          960KB

          MD5

          32a12fffb91f7574b7ee8257bb2bfa1c

          SHA1

          075b0199d5d34bd0f32b99f622a41afa192da49f

          SHA256

          aa469563aee02de6f0826682e8c80a753f93fa9f27258b766d0bb8d9def92eb9

          SHA512

          429e56ff041f0aee29dfe6fd5dde029e04e2fa09555414974a9a9c4a771756483739fea06de6a5f6372e7f4f5b12fb15e2c638f5d236076d83c59049ba7cf5c2

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          c07b9cf2d93c17de9d7b5c5205504915

          SHA1

          c00f7c3149d51544f6f6bd9b523ca564749c6800

          SHA256

          bfc76d427682f31e30cbfc80cad15f6d8efe991db5ba5db312e0d654b0f37d68

          SHA512

          e48ade98a36821d1819797aaaf45feea876ada59836612dccc295e7108a2e80f895ced403bd6e3b42c9317d2475bebd766cd756d461e597f219214876cc2b28e