Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 15:03

General

  • Target

    f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe

  • Size

    2.6MB

  • MD5

    7c5ec4cf4d8f7aa0c39533542cb75190

  • SHA1

    21d9fcd8da84e8890c6aa625cc0aac4bff1ea977

  • SHA256

    f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89

  • SHA512

    0f7924e7011e38a6a86157907a501e9ffec1a75d5cd0477e8e23b169d345a059e23f91d4efbc9227e530905337f3aaeafbed81677885d95f8582da1888b11d2e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpGb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
    "C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5068
    • C:\AdobeTW\aoptisys.exe
      C:\AdobeTW\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1312

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeTW\aoptisys.exe

          Filesize

          2.6MB

          MD5

          44fa6dd20cc9bcbdf0dbc7dff836bc5d

          SHA1

          ef259ffddac644b54e59bc7b5160483517ac9dcd

          SHA256

          ec7fb2a4b594ae866937f41d705bd64a6b3732e64cf10b2e17aa9095113936a3

          SHA512

          0cbefe7899797e6c9137bfee46fe15c82e69e3c0080f73d4dfa507a05c235eba06343aa14c21d407aa29a23f2e518f78971900247a4ab4550185d474920136c2

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          11b78c4930d594aab0063749bc331487

          SHA1

          8167724170ae7279bac9c6ee24fc0d8956e1e45a

          SHA256

          4c763b549df43bc07ae8113975de24344a22bd00f84abd75d047c5400f368a82

          SHA512

          fda701284014962af69449381f21608bd9da858d3753758991cf5f5d31f513adfdba518ec4c0e0470d6e9860f02b14735dff6d462fa869fbbf3447b780521b80

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          aa1b45a1ea25bd6cf6fc5ef3b4287fa3

          SHA1

          5d28f74f1f4f2ec0257c39c1511b023a51be8250

          SHA256

          41ca38eb8ccecaa5ffc193b8940c28d6c04df1f6f3eb70869af138008da91f62

          SHA512

          fbc1b54a187be5051083f1388f6ff5210e13e662f9eeeb24c93ac26ebff0a3b8c2700e74e3a9e0919370f1ecee0e6aa0959325e57ad6e147e6651249343a663c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

          Filesize

          2.6MB

          MD5

          6b302f7dc8673ebaf2061a662bde1a1c

          SHA1

          3185ef35d7a89aca77d7c265dcd918a61518c09b

          SHA256

          6be21a6106205c051d4ef0f4452438610b16d4d8a7a686c5fac66190c21ac22b

          SHA512

          58f1d4bf896c764f93655e497594483188d56afe6592d53198b7b531fdf0b6d838eb61b97d37056220a9e4152350297f364bb3883988b6303485cd47435f8f45

        • C:\VidLV\boddevsys.exe

          Filesize

          2.6MB

          MD5

          181a9b545e504945ea9376e57a6b9275

          SHA1

          a01811041668f50073d65b2d9e0cd68b71c52683

          SHA256

          86b43bbb32d234238d68c88432f3cabcfccfe5c96f6b681a1dc9ecad0f1a27d2

          SHA512

          63c6b1aa8b633c7883b9313292f5f240621e9df0f6a6742c089c7595e571c6556b47c139b321068b10351ce9be83cabb93d5d711a6a569d5051363a08dc5a5ba

        • C:\VidLV\boddevsys.exe

          Filesize

          2.6MB

          MD5

          e4e369ac8ea3b3528a61cb14ae4def9e

          SHA1

          ec32ceb4e86bcdf16736867316405238f9b83064

          SHA256

          a298eeb403ee116c3959f5bc17ea60bec7026f78b3fe3692d601ac7dadc41a79

          SHA512

          9f9e92f82b8be15328374310387a26dcf8529e7a2c25fa573fe3d70b85c1b1968684740bc7106d2b2e4f27e00b957ba55d0f5f67236a1eca1bd02a84f57e9b54