Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 12:57

General

  • Target

    b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe

  • Size

    2.6MB

  • MD5

    23e5741a9817b7a6135e8fe7c1cf6110

  • SHA1

    a3e03c16f065cd045e2ee5b7e27b046aa2c75ed4

  • SHA256

    b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03

  • SHA512

    c7085468fad9ddbe62b5aad2b316813bf6bab358041dbcd7ed05542d5d7477825a28bc6fdac6eb90b02b7833d205126bf147bed93272a3ee77b8e2cee44462c0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpjb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
    "C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1648
    • C:\UserDot1O\abodloc.exe
      C:\UserDot1O\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2600

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZE0\dobxec.exe

          Filesize

          2.6MB

          MD5

          37ec865423324808010f44da53a04a7e

          SHA1

          f7b6574c6068a87742ae65eb65631dcc7037af85

          SHA256

          37b1fff7af08fc01d50d8d0375b08d9a12b69c5f0e6ecf1740e6162205880d1c

          SHA512

          85a83aa58bef7f4173ab0164bc63d45541136b09f650177f709f3c36e0fae7a5c12c39fa00be2519e4e6dadb701c717defe08678f9c4d60c75dde27aa33fe789

        • C:\LabZE0\dobxec.exe

          Filesize

          315KB

          MD5

          a5f5abe78aea816256f1a9c58d2d67d8

          SHA1

          daf3591b038d8c6dd42c9337374100c7a612e917

          SHA256

          bb0c2e66b816aa8d8b5d3be885824cf1de8135434684977b680d07b596f40c28

          SHA512

          ae2f8567cc511e9651c44bab0676603f918da71bb07d91f9ffd6bd474213823187d7a4b601509d172ca67ad5a5db265e53bc0a779d35cfea42e99d4ae2245eb1

        • C:\UserDot1O\abodloc.exe

          Filesize

          2.6MB

          MD5

          cd72d52aee41a314165a81b867c196dd

          SHA1

          9f410976532d24c0aa7fbcaadfe4d576618646f5

          SHA256

          81529b8dd4e9112798fd294e91e5df72adcbdd2472f353652446d14d099b1826

          SHA512

          125e9f5065471a1ea47b8f85bd6ea7d65c51324f76c1342beeebdfc802648a81a1ec837d7dfc40b6ce7aeedbeb10816672fa649d4617d863d7b3c680b80e05dd

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          7930e14bd379acee77c00ed13dbd967d

          SHA1

          7e631b89003c26e724fd62c3007f666eff38bcff

          SHA256

          de1df46f215ad921f6c5ca6c9eed067cf7d0b1099bfc2c13f1b282c8e8c37066

          SHA512

          086cc633ad69db5d31b56e82e1237cf8a09f2b134a1d1e62b575ab35b56b779a643e9a6164389bb916457d33ec47e92cf208442905556b38394379ecf57d05a3

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          1cd7d8cdb61dbc52e1784d38c5b3bc67

          SHA1

          e370d312acd9f80c51f9c5ca4fae96405ba207a2

          SHA256

          4d6faab6a156e9370d0dde5e8107d4a409f7bb971a487090331da75dcde394c2

          SHA512

          857cec9b63cf9398af334577c7ccb393524fd7c94d6a2a40adaa2fcded8e034d3d28a36c64e58324f97b3c05b40a0ba83d3e8bd22ea077c567c239ea40b43d02

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          80532a04a71c95a9db1b22527f664f5f

          SHA1

          df917a4f7dd1e04bd2e8e03a047fedbe791212b6

          SHA256

          43cc6d7d57eb2be88831c9aa65d4aee6cf3ae0cbac6230508e99e58f9906fd0f

          SHA512

          6eb52e19d4e29a254c0609a47b4e2ee2879505ed8617389613e89a53248a731648ea092a43fa546580959b9378e9663c7caccd945cd2f327393e78143e80f586