Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 14:49

General

  • Target

    50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe

  • Size

    2.6MB

  • MD5

    a090dc0f5b9a2dc6498e66d6336da710

  • SHA1

    ca5f8b4ba7aba68609734727e7c9ebac0bf6a407

  • SHA256

    50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7

  • SHA512

    ea713af642c65d011ad5b2c9c8fd325f7027c4598914589f6033ce0659d2e8a86798eb15a7eee591e5e0d2bd01c98dad3b9ebec296aa6743741795f5415a1243

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe
    "C:\Users\Admin\AppData\Local\Temp\50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:772
    • C:\AdobeTX\aoptiloc.exe
      C:\AdobeTX\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2340

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeTX\aoptiloc.exe

          Filesize

          10KB

          MD5

          a86336805b3d53c18600c251ef3cfa32

          SHA1

          69594cfc6347aa438b9319dfca41704cf4607aa6

          SHA256

          8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5

          SHA512

          2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93

        • C:\AdobeTX\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          1b755c5693b5a398bd557ab5fe9eab57

          SHA1

          bf42a199b2e89b29f1004f8c1902b30d0e0465cf

          SHA256

          c331988ef233c568baffcf8036f4cd6146a751237df4745e8b45126dacf9d3bc

          SHA512

          bfffa53c3e9ebd74a26709dc3a83f0f06c58e282f136da8ed304ac792b0b924cefe8e28cd5348887314f0fb094f187c896ead532cabd841c764c84ac42de4e49

        • C:\LabZ10\bodxloc.exe

          Filesize

          43KB

          MD5

          10d3f3e58a3ef58f5171e4ae32fa456b

          SHA1

          b11202a2da9a50ecbc728f5b227da242dbb076b6

          SHA256

          39bd105cae5dd3bc06221de8f19f3df1bb1087d9be94f352640741467eb2a690

          SHA512

          f769fd795c333c99341608ec887ab58b9db5899015cc0fa119e2f82b07431f705e4054f585cbb14bad80ceff7a0d52cdbe8093f5c4d101b238c20d88213c09cb

        • C:\LabZ10\bodxloc.exe

          Filesize

          2.6MB

          MD5

          65890064a665bbb28dae4960ea463bb0

          SHA1

          3626e521e32275aa6fab8f1bdc8cffdfbe6c9ea2

          SHA256

          1ab15c9c3b29c4abb7093cf5c5409027ca290c99fbd7e5e4757dc5bde20b64f6

          SHA512

          77bf6bb968f213ab51c924ec31d1538c8a202342982902b5e223ab4d8a67417889de6a16c05aa795ab84e617c8426ace9308e4e5fb729aaf5688d0f475119677

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          2273759d6a9ba1f9ecf948188f89de26

          SHA1

          74f5e6b3244e65dab374e82588dff3bcfd9ede5c

          SHA256

          0ce01ec4151cded19373545e0f0b795ab453b01ca03a8dfc3fa184aa5811d952

          SHA512

          00126f310461b3bbfd9d0e14c6ad2d7a32f2b421734a89111bae5e1531869f8c9540c769180f79d1c2aeeebc23df24703cefccb6959e5be5980be446087990d7

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          970cfcfc64d24f75c8464fe8ea3a7dce

          SHA1

          16a9c16fb89a8c54bd3eefb33fb89450ada18090

          SHA256

          6c525c8995b523cebd38e92c2195c174d02cda9548347913dada106a5c5a932d

          SHA512

          dff21ee4bd79a5ff8ff848cb0ba82b837a5f19362f88301bede49c95f9695195b6357babba5253e00316567e1b6be49da99ba1634317e900088a90843b79f2ef

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

          Filesize

          2.6MB

          MD5

          31113fda57de423fd9c7e1b926863c74

          SHA1

          0f22f605afdd172e56427f9d3d7cebf9e789c0d2

          SHA256

          3f1b16ca9fa485303ad521a9d6dd04d9436bc50267559aa4279ef322ffded3a4

          SHA512

          6906a3cf98cd5f4bdd782b773fd02dd9aba808ad7e579ce752dca115d1fe1cc9585288180258a3f36424c1daf0b29abfb0f9b8a55454d918ef5aad1f7da1042a