Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:31

General

  • Target

    5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe

  • Size

    2.6MB

  • MD5

    67021d50d2ef7b5d6af33d2f6d9d4990

  • SHA1

    96cdb395a603e4418ebdac4275e2eeea03d242e0

  • SHA256

    5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2

  • SHA512

    cf1b7e39de9b65e8a3a99f88bda660b15ea1b85176fbb6aaa9a36db83ed7b319427e310c0d103b6fec7c3668d989c21c3cf22c793d15cc44aff31668a5bbe1fe

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4852
    • C:\Files9Z\adobloc.exe
      C:\Files9Z\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2716

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files9Z\adobloc.exe

          Filesize

          2.6MB

          MD5

          ffdc4ff2abd3e19c131d1a2d301c1289

          SHA1

          c0f0b291ca6b2cc549bc38ecfea6ef649ee3da1e

          SHA256

          73445eee3c9f1327d056f8519d92bef33ccda6a00807d0d75dd471e3201781fe

          SHA512

          211b260129247031284402411da259cab5c92d36b12b39478f909910730028d7b04b76798784be24f71c88fcf40f0fda84c8738ec5a767a7c566c9ba9951ce56

        • C:\LabZK3\boddevloc.exe

          Filesize

          2.6MB

          MD5

          2eb391968816d7122b3af25b8833ca50

          SHA1

          35e3f80179a4b4f26754984f58abf1eb9760b2f1

          SHA256

          78f68dfffed0b3717f863171d14c5b19eeb02cb7a876eaca714a0a4e233d0d54

          SHA512

          4c1e8c6c1853a07fc2b26a2afc4ccc88448e9d3208c330f6a6fd8c9c877f5566996fd95b4787af1d2731acf2b8c6ced1fb08f42fdc04384544614f42d49728e2

        • C:\LabZK3\boddevloc.exe

          Filesize

          1.4MB

          MD5

          3bacadc52901f954dce0a5446166fe93

          SHA1

          b29f3d30a741a100e701927a676863b496bbb044

          SHA256

          33fd825e2c21dedd19b54fa868bee99e9f0d3bc4c72817d4fdf1c70c208a874e

          SHA512

          f7e6cf5b363867db10e21159bea60b6a41bce944d0c18bfeb50587530c4c2348eca8a4ead244d178c3bf56997c6351f3d19bd2aa88a0ee51f76643d306d5fffe

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          93f460237f451e4ccf701c52fba40e30

          SHA1

          31f0433907e768fcb2c397c965b0814b7fbf98ab

          SHA256

          6172a5e8d0853619ca11eb56a33345dd8bee711ee728eb82912d6e3e5daa1ef5

          SHA512

          d31496d79a970a0d6c9bf581f1a77f330a638c4d55e3ade2c14048e08e0e2c6d0288c1800122fd827a115b751fbf85bdab054682d9eb88be6fb73bc6ab60e477

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          0a816590c9f3757763af7e920b2e0835

          SHA1

          82620a2bf429e6952fd463e26267b8f9cefd1155

          SHA256

          1c5abc3641d6956a45ff7e55d55e81fea309256899b96c414f3d11af02b4b969

          SHA512

          4633c440d83fb77c92ad1e57d7c17f5c33523dab851d80555270d9979784f940a573b309eb884eca6f22f7b7e932f2e571b0dc9eb2a1917206b63c01fe7d6edc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

          Filesize

          2.6MB

          MD5

          91ff049977cfedcd8a11e95b641b73ae

          SHA1

          c560a627a4bc4a35ea8b6c47749faf819c4cf615

          SHA256

          63e05b02d2a6a89f56b127bf8ff8b438cafea637c21cdc03786b50f400306482

          SHA512

          9f89ecebc29418b95f8a13c779fedabb2bb0818233cbd6e46fab9cc765fb33414e5f24e1f5ef16b730baa3ac8c97bc2b749d255f317e0a6f3c3f03d615dd318f