Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 14:37

General

  • Target

    6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe

  • Size

    2.6MB

  • MD5

    2c5727a954b8acb61e9702f5f8624360

  • SHA1

    1d787ffc4d49ae5bf8878f35d966810d8c9cae8c

  • SHA256

    6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcf

  • SHA512

    e9cc85af137e2b0731ab1714b46bce5df7cacb166668780227bf1530003265532591e81dcbd0583c110045b77c5ab1b3ba880efb9df42be977478c2e22a5b3ad

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpFb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
    "C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2664
    • C:\AdobeVA\abodec.exe
      C:\AdobeVA\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2780

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeVA\abodec.exe

          Filesize

          2.6MB

          MD5

          2e2ad8c4872ad10cd2f913a6664c465f

          SHA1

          7661ea0fe45a5fff7ec2eca624e471651bef2bbd

          SHA256

          c3bb104b485f1d060b46a744627926857c85450032ef4da95f802b8373cd1950

          SHA512

          a12a9f1421a15e23d2f470a7578bda07bbd4a3522252c9bf957cbf27bb9ab7ef0af06169b9095ed820f4c97238740a453291f41aaa39e74b5ca17b1f2237b416

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          166B

          MD5

          80d6138e564e7fd2c4a1661211e29cc3

          SHA1

          06214a0c1477cc025be2d6124517fe887e674c65

          SHA256

          69dea7a9b85de633ed3ddbf9dd32db02c6a2d4c3ab45a8d72fb4111197c8a977

          SHA512

          2fd9c46642dd4fc2de01e5c5cb8bc8a2427d1bee387d1919698a6fb53602faae2e31e64825d7e8702063b4bb363f009364ca258cea11d8e851bef7c1bde025bc

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          198B

          MD5

          a2293175928f191234dc68156f7274ed

          SHA1

          652ba82b0ae3916c9101d35e6ccf63311ad028a3

          SHA256

          808b5bd08e529475cd0ae08db191f9dc01483000bc6a0ab84eef90cd29827747

          SHA512

          80a9910a8f25157a1b09d265baf2f8b7d5673c8e6aa92820761a0829ca70c7ba0a315edfaa484111269d728d1928bd666a385c91506ef7c8dc0957c4ab4c6278

        • C:\VidNQ\optixec.exe

          Filesize

          2.3MB

          MD5

          3f741ff25655ad6e1a7642dd208cf5f4

          SHA1

          4e0c7488787b0066dbb806d5b7417dc39b70c5b5

          SHA256

          56c91d8a748fc8617b8dcc8ba55bfb93b8d132ebd8c64c3ff20329cd6c1131cf

          SHA512

          06a108f5ec4e958c36c48b9d7c7a182841538462a36009dc8484b49847431e0183e696f0831e122ae7d3b982d12a7d65f7d24ec5cea990f52f6711eb8b7f3d53

        • C:\VidNQ\optixec.exe

          Filesize

          2.6MB

          MD5

          2b23ec558225c41f12d928026a556b97

          SHA1

          e9678b27b3f0a940fe3de221374212f4c0b2d953

          SHA256

          27a7e0c8f5760ea6bec2cb242d4106017d86c41686a8b1a5825da4123407d1dc

          SHA512

          59d7c703d4242bf8b8325004e794c252bb199252218d0b66b3feea1d27105e9bf9856cea46c9aa6a688e013aea7b11a9398047414b2bb86ab37a80d536719868

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

          Filesize

          2.6MB

          MD5

          52187aa753bc94cdebd9a56a2ddab035

          SHA1

          be195be9df5a0af742166b0d4ccba2accbc7a17f

          SHA256

          d0ebf86797d41f0ca23cfffd9587288ea30916790fc485970a1fde028b5ecdf9

          SHA512

          27820671ee21e8fa046de0e21e58917a50e095e97c401eeb71acd6f394fc7255027d9aa0a9f0401ba7c6d9c68aef1248a66a8cb9fd8e226127fc0d5bc412c248