Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 22:49

General

  • Target

    124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe

  • Size

    2.6MB

  • MD5

    9feeca57632898e3da8059d8a4bc2340

  • SHA1

    5d4c5b58eb8b2e0b23edcbd7fdb5e770d01b4d3f

  • SHA256

    124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287

  • SHA512

    bead80473821d2964cb9f4b64f6c4c7736b7520cdd5ce44bd619d68738ed21d6843c043e8bd545b73ec9acc8426c13ae8c17e2448648d7381166e972ae2aa8e5

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUp+b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
    "C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912
    • C:\SysDrvPC\abodec.exe
      C:\SysDrvPC\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2448

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintAR\optiaec.exe

          Filesize

          2.6MB

          MD5

          192b751a0d7753e6e15f764f6cd9ff9a

          SHA1

          0eb5e6928ee1c190279f10a2f00dc31cb8a40dc3

          SHA256

          9926f46aa9316c4a6ec2d22be5ef0b4f28ba42b5867f8bdfb682a8d1131a5296

          SHA512

          163baca775305cf722c1a37babe081d0115fa82e083f83b2f4881aa2c28b5ab69172e8c8e42caec6ea94303db2226120266798b8058b87b821acde68452545be

        • C:\MintAR\optiaec.exe

          Filesize

          2.6MB

          MD5

          6bd2c663ed8807c4a06d9d525a0505e6

          SHA1

          daed1e919dc741805951ccfa50e0012e69f8efef

          SHA256

          e4ca5c6ba4171f193febad64c1425c581e4b4812c71a2f71df75febe53c800d1

          SHA512

          3edec5c463be6fb40b52866933a66d743cba15b521f584bfb2191a60a899840e3172fb2d458360945404453fe03540697861b518580ac25120381b315ad72a83

        • C:\SysDrvPC\abodec.exe

          Filesize

          2.6MB

          MD5

          67d2027f8824b7369d01ed99a320f7c2

          SHA1

          2254852735be28c83c4558e73b4ddbf33f2ee240

          SHA256

          e2817ec6e047a7407e5a92947e1765c81b481c61f7e1349492616dfe4a387125

          SHA512

          461784eddb6cb4c22b06a8e33b6681059818c1df43d7bc35214c16ebc6d9290f5994d25251481e75084e2db190544bfc21422affd2b61a28eccce4c724df8841

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          8ec0023952d03d5154e5a19790f640dc

          SHA1

          8bbb572cb647c92a2b98a90972713ba315d4377b

          SHA256

          caa16f9d3175e45b6081e2f2e819a365cf01738eeb67b8865d58e16df9a2cc97

          SHA512

          1d95295863089aa85469498aca46eaef2190c9d6fcc96269cbc00fd44cf8523323f895d0aa41551664533348dbcf4ec448b62b282a1658a92b2e21f47ceeb50c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          24149af154da5fcdf391c93ce3337c57

          SHA1

          f383b70bd730c747dc1a091dc5179b5dcadce083

          SHA256

          1aefd425d284d642d4b1eb4b26908dec77e5b9a53be05895265d25a908d92970

          SHA512

          63b8475ede8672f0945e03c618e63b8ddd7e5e5084a35805c98a0dce0ed75464c781ad8c2769654ee5492c9b5b6bfe9bfe405042ea81f8278e55ade95e38d341

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          ea93623332821ab1ff104b59324bc94c

          SHA1

          a0d6f2498fbef65967f2e3245405cd7387dee7d6

          SHA256

          349663df222b5634b17db98aa0dd0fab7d9762387df4edfe2ce08fd2919e3fb7

          SHA512

          0c3daf332bd8695ff7cbff8e33db8d22ed0113b898cb988d3bfb7490bd8021b2a316d7caa42677fb73c013fe407d6686f97df87542d34417fa756603e444deb6