Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 12:19

General

  • Target

    e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe

  • Size

    2.6MB

  • MD5

    5d1714a9bfb70a428bc441e42d1a9700

  • SHA1

    2befcff7614059fce1be59ef2bf5b678bd30ff11

  • SHA256

    e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0

  • SHA512

    a2065f35ffb787e160b3527e1b1af1eb59dd5527d9c86aa5c716484c67a476b25ac84c41560f6d7a0e134a18ea455cff121997964fbee9a90bd3835638226949

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSq:sxX7QnxrloE5dpUpObV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2696
    • C:\FilesFA\adobec.exe
      C:\FilesFA\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2784

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesFA\adobec.exe

          Filesize

          2.6MB

          MD5

          b653131fedf698436e569718ef262593

          SHA1

          c2c02d060d088dc4182e9e584d544623f4a278f2

          SHA256

          a565b9954b25da2bfc627323e6e73ff18b98f58ccee59a6f1b8c937c7bf36281

          SHA512

          e759765f550aa75dbf7a0513e6fd3fbb5c69e8bb83ed269a5cecc744d654ad3b785058a72a5190bae6bd254378847b42438ed0977c7e9d92a51259de6d4a57d4

        • C:\KaVBFC\optidevloc.exe

          Filesize

          2.6MB

          MD5

          7ad0bed9a1fc387b319abf0219aa4657

          SHA1

          d95b00034d89b1143157f286c4ea7f4e56f77e0f

          SHA256

          e871ef45e9a99bec4827519709907edcd776c4159da9906e6e706b184da0da60

          SHA512

          a44152864dca94e6362370d8ff2d89d855d734cc5686a17f64f1504cf1bdbe9a38fe42997e87a9bdee5946d626c995680bdef6d2c0b98bef356406532e3798cb

        • C:\KaVBFC\optidevloc.exe

          Filesize

          2.6MB

          MD5

          7d75799469f8abc715fd891a9a7fb06d

          SHA1

          eab6f28766adcd1b29418d5fa68262505fcd3dd1

          SHA256

          730fc6b5bdd0b94d23ec69c89a27a7f01a8bce61853a009577b8bb5fb3edd1d0

          SHA512

          de807ae60b22e9dac1161dff74fba02963be1ba65d0fb7939039bbac13de7f8e9a2956d3e3cb917664f2c4bda53d8697634fe27f87a1870e7ce7b03c2ed51c4b

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          14b3992cce671a73a0c560447b8636b4

          SHA1

          207c7f5c315337c8dd9db6154477eaced7b2564c

          SHA256

          e4bf3376ba33103fb3f10104a14023c82845de5c99c7b2c50b88e3536e343fab

          SHA512

          55d50a7438cf71f9d73a342834a9d7f0d5a5c2b1101085f53cd7db91ad5c8fe9d8f777b823624d5ec810213ab805e36f41d81dc8b26de80c58e58827d30ad521

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          6c033df2c2703423e81821e17ff1c4b4

          SHA1

          3aac19f2e69c81cf1f53bb7981acc8d553ca116d

          SHA256

          87fbabe400e7c0e41a61c55ad0b366ac5547501f176453ef33ca3646c80a6821

          SHA512

          2ab50b8dfc85efc5c50d0654becd0c153d3ecdc645c216f9d9535e65310cafd711e9d95a3a0cac3a4d6a0ef38634e3d62b70a7d9a9d47d82fd06df121c1af56b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          5f910f81543631aaa34176a845d6e05c

          SHA1

          326e311bebe86d878ca7d6f1e773bba52b6c1a86

          SHA256

          60142e28861dc585d0d2a5ab70b7807fdd2ffcc4f787bd8b9ceb7495da271455

          SHA512

          bb9c31afceeb09a02db361a62b9cb186c4f6c005b09cd117894bdfa442ce12fed34291070d42307bfbf321e34054b6307a5452d2230cba2404365813015ec6d9